A Brief History of the Information Security Industry

all right so it's about 10:30 according to my watch the clock seems to be slow we'll get started uh in case you hadn't noticed this is a history of the information security industry or brief history um my name is Chris Thomas or space Rogue I've done a few things in the industry been around for a little bit but that's really a big deal currently strategist table network security I have to mention them because they paid me to be here um so it's important to like not really believe me when I'm talking up here uh this is really I mean I've been in the industry for 20 years or so so what I'm going to cover is really

my uh impressions of the industry and what I think is important and maybe I'm going to miss something that you think is important but hopefully this gives you enough information to ask some questions and maybe go out on your own and do your own research um I it's sort of chronological it's not 100% % chronological uh I do start in the past and I do end up in the future but all this stuff in the middle is kind of you know however I felt it f fit best together um and again it's not 100% complete uh title page had the word brief on it there in red letters so yeah I only got 50 minutes to cover like

3,000 years of History so uh let's start in the past uh the information security industry as we know it doesn't really start until around 1980 or so give or take uh it doesn't really even get bigger for another decade after that uh to to be measurable I think uh but you know as long as people have had information they've looked for ways to store it and looked for ways to store that information away from other people to keep secrets if you will right so once they started writing things down they realized that they needed to keep information secure you know but what good is the information if you can't share it is really the question that I

ask um so we have here a picture of an early Tumbler lock uh Circle 1,000 BC um probably used on a granary you know in the middle of the pyramids or something thank you gez trying to get a topical joke in there it didn't come out very good but anyway all right um one of the first bits of encryption if you really want to call it that was a Caesar Cipher a simple substitution Cipher Julius Caesar didn't invent it uh but he what he did use it a lot and it was became popular because of that it was named Caesar because he used it a lot not that's why not why it became popular but anyway

this wasn't the first you know code um but it is one of the uh again most popular I'm using the same word over all right so you have various codes that happened uh there was a code uh by Jefferson had used the had had a encryption device I don't want to call it encryption because by today's standards it really wasn't but uh long uh about in 1925 this guy Arthur shabus uh invented the electro uh the Enigma machine which was an electromechanical machine it wasn't a computer machine uh it wasn't electron it wasn't a no chip in it right had rotors manually moved it was a brilliant machine not for so much for the way that

it encrypted information um but what it forced the Allies to build to defeat it which was the bomb literally it was the bomb uh designed by alen Turing in 1940 if anybody here has seen the movie incred The imitation game I almost said incredible mind different movie uh the imitation game gives you a good idea of of the struggles that happened in order to build this machine and the weaknesses that were found in how the Germans were using the Enigma in order for it to be broken and the all the messages to be decoded and how for the Allies to win the war uh but the bomb was the precursor to other uh Electro mechanical machines um the

electrical numerical integrator and computer or the eniac uh this was really the first general purpose computer uh it was used to compute ballistic firing tables but and you had a lot of machines like this being built once the World War II was over right you had the biac Colossus Harvard Mark 1 basically every major uh college or research institution built their own computer um and eventually IBM and Honeywell and others started standardizing the systems and selling them to business to commute amortization tables and payroll but the thing here is that none of these machines talk to each other right there's really no security involved here there for all intents of purposes what we would call a Singler

user system um the security involved locking the door uh as long as the door was locked the computer was Secure the information was Secure uh so there was no industry outside of door locks uh for computer or information security right that started to change around about 1960 uh with the AT&T data phone uh this is you know basically your first modem this allows computers to talk to each other that weren't in the same building uh but again no one's really thinking about security here either right because all this data was sent over AT&T because it was the only phone company in town at the time and of course AT&T is secure because they said so um right and nobody had really even

thought of what we call Now call man- in the- Middle attack uh so really your security again is still the physical aspect right you're still dealing with locked doors uh and physical access into the systems uh little side note here I don't have this in here but the MIT lockpicking Club this is how they got their start right they wanted to get into the computers to use them and so they needed to learn how to pick locks so they could get into the room where the computer was um and if you get if you download the MIT lock picking guide I think it says something about that in there but that was a whole reason for

the MIT lockpicking club and one of the reasons why we still do lockpicking at conferences now uh was because the physical security was such an important part of the information security and it still is um so but we're still dealing with single user machines they're talking to each other over the phone lines um and it wasn't until multic Multiplex information and Computing service one of the very first if not the I think it was the first multiple user operating system uh the the picture here is of a GE uh 645 I believe um now multic was uh started in ' 64 Bell Labs quit the project in 1970 uh most of the engineers that worked on multic went on to create

Unix so a lot of people think that multic they say multic was a failure right oh it was a bad operating system but most of the features that were in mulix eventually found their way into Unix right the last commercial installation of multic wasn't turned off until 2000 um and it was released in this open source in in 2006 so multic is still kind of around a little bit but this is really where we start start thinking about information security uh uh in a computer type mind frame mind work frame I can't think of the word anyway uh so now we have a multi-user operating system we have ways for computers to communicate with each other

uh and of course that results in the internet uh this map is actually from 1971 but the arpanet was started in 1970 uh basically you had four nodes in 1970 and by 1971 you had 18 nodes notice here you have a cluster around Boston and a cluster around San Francisco uh if You' ever read Steven Levy's book hackers uh he goes into great detail about the East Coast versus West Coast hippies Versus Suits um and it's it's an interesting dichotomy there the east and west and how the computer and the internet grew but anyway it's a side side traffic uh so here we security again starts to become more of a concern right we have we don't have an industry

at all we don't have anybody selling security yet um but everyone's either an academic or they're in the military you have trusted endpoints you have known users it's not really that big a deal right because there's no again nobody's thinking about man in the midal attacks nobody's thinking about all these other types of attacks that we have today because everybody knows everybody else on the internet there's only 18 endpoints each endpoint maybe has you know a dozen or two dozen users uh you're not really concerned about bad guys intercepting your traffic a lot of that starts to change in 1981 uh with the introduction of the IBM PC uh it's introduced retail price for the PC was

$1,565 uh the haze modem 300 Bond um I don't know some of you probably don't understand what bot is but it was slow um I mean you download a web page now in a couple of seconds and it's full of graphics and animations and all that you take one of those pictures and try to download it at 300 bot it would take like an hour um but the Hy smart mode and retail for $299 so here you have a complete Computing system for under two grand uh basically very much affordable uh you know comparably speaking uh and shortly after this you have tan you have Atari Apple Commodore Etc all quickly followed and built their own computers and you

have the start of the personal computer industry um all right so we've now jumped from 1000 BC to 1981 and we really haven't done any security stuff whatsoever industry-wise right nobody's selling anything that starts to change in the 70s all right so I see not chronological I was at 81 now I'm at 76 7 um I want to say their names Ron rivest Addy Shamir and Leonard Adelman developed the RSA security building uh off the work of Whit Diffy and uh Helman and I forgot his first name anyway the Diffy Helman key key exchange uh I'm sorry Martin Martin Helman thank you very much um those are important names I didn't want to make sure I get them out

there uh so the Diffy Helman key exchange is the basis of the RSA logorithm and they developed an logorithm in 1977 but they didn't found the company until 1982 um crypto cryptography at this point was basically the realm of the NSA they owned all the crypto and they didn't really want any of the crypto to get out and so they had uh the the RSA guys had a really hard time basically fighting the uh the NSA to be able to develop an alogorithm that they could use uh and sell uh to promote security cuz at this point we now we know we have the internet and we know that there's going to be Commerce on the internet and so uh

with DIY Martin Helman uh the RSA guys they all realize like the only way that we're going to be able to have communication and commerce on the Internet is a way that we can secure it and so we need to find a way to secure this communication and so that was one of the motivations behind developing these strong encryption algorithms if you really want to learn more about the whole crypto revolution of the of the 70s and 80s crypto how the code Rebels beat the government saving privacy in the digital age by Steven Levy excellent book uh really gets into the the nitty-gritty details of the behind the-scenes political mess that cryptography was um but this really is

the birth of the security industry RSA and secure Computing um secure Computing basically came out of Honeywell Honeywell was a a mini Mainframe computer vendor uh in the 70s and 80s um and they ipoed in 95 uh I believe I don't remember who got ended up buying them I'm sorry maffy B secure Computing okay um yeah I knew some people that worked there back in the late 90s so uh anyway this this is really the start of the industry as as it were uh yeah security computer was basically an NSA contractor it took him several years to morph from NSA contractor uh into a commercial product uh sector to do all right so let's back up a little

bit more uh blue box circuit 1970 I mentioned the blue box uh because while it really has nothing to do with uh the industry it does have a lot to do with the industry which I know makes no sense basically you have uh famously Steve Jobs and Steve wnc building blue boxes to sell them so they can build Apple computer or use the money to build to build Apple computer computer but this also starts the freaker movement and this becomes more important later on but your freers uh people who explored the phone systems uh for for fun mostly I suppose there was some profit there uh but people who explored the phone systems would basic later became your

hackers and then now with Wi-Fi and cellular became your freakers again so it's kind of a full circle thing and I'll I'll bring this back up again in a minute uh another thing that's important to the industry I think 1983 war games uh this is a major major movie to a lot of people who are in indust Industry today this motivated a lot of people to get started in in in computers and information security although in the 80s we didn't call it information security it was just computers um but a lot of people would not be where they are now without this movie uh this movie is also one of the reasons for the Computer Fraud and Abuse Act in

1986 uh a lot of people thought this movie was inspired by Kevin mitnik when it's kind of actually the opposite when Kevin Uh Kevin mitnick's prosecutor mentioned in his trial that Kevin could whistle into the phone and launch nuclear weapons uh that that was after this movie came out and so the prosecutor probably got the idea of that from the movie which of course is not true at all nobody can whistle into a modem whistle modem tones into a phone H all right uh where am I Frack 1985 uh was the first issue but the most important issue is the Frack 49's or one of the most important issues Frack 49 smashing the stack for Fun and Profit by

alf1 Elias Levy uh this is really where you start seeing security information being broadly disseminated uh there's no industry here uh because up until this point really uh security information was a tightly held closely knit sequence among your major sadmin at major universities and corporations and they had special private mailing lists where if somebody found a bug they would mail everybody and say hey I found a bug in this OS uh but don't tell anybody else because I don't want anybody break my system uh and it was all very tribal knowy uh and this sort of got the information outside the tribe into other people's hands um and was again a great motivation for a lot of people uh there

was a lot of papers uh papers that came after this uh buffer overflows for Fun and Profit comes to mind um that were directly inspired by this one uh smashing the stack for Fun and Profit the other thing that Frack did that was very important as it is that it created a community uh of freakers who have now sort of morphed into hackers right uh because of the articles in Frack called the Frack world news um and the all the technical topics that the the easy and covered it wasn't just uh sharing of information it gave the readers of the magazine sort of a sense of shared identity because you would read these news articles that were in the Frack

world news about somebody something happened ACR something happening across the country where you know a bullet board system gets raided or or uh you know the the phone company gets somebody else arrested for blue boxing or what have you and it sort of brings a community together because by and large most of the people who are reading Frack are doing so on their local bulletin board systems yes there are some people who are abusing the phone system and dialing long distance and calling boards around the country but for the most part A lot of people are local and they're not making these long-distance calls and they're stuck on their local bullettin board systems and they would get a copy

of the Frack world of frack and read it and sort of have that sense of community uh and so again because and I'll get to this later your hackers then become your industry later on uh so really the very first big major security event the first breach uh if you will and this if you compared it to today I would equate it to the size of Target or OPM right the robit the robit I always want to call it tap and Morris worm I don't know why Robert Morris worm from 1988 uh it was actually very simple worm uh it took advantage of weak passwords which are still a problem today um and basically it was a there was a

coding error that made it replicate faster than it was supposed to uh and as a result you had to denial of service across multiple sites on the internet um this made national network TV news most people had never heard of the internet before this and Morris worm changed all that right because before the Morris worm the internet was excuse me free and open and and you know free love and academics collaborating and sharing and you know happy love and and hippie time right after the Morris were people realized well bad things can happen we need to maybe close some things up change our passwords uh use better passwords maybe have some other security measures in place this really starts

people thinking about security especially when you compare in conjunction with now this was 1988 uh the very next year Clifford stole publishes his Egg book um anybody here seen the movie or read the book one two go out and get the book uh or watch the movie the movie's kind of boring but watch it anyway it's an interesting story because this is 19 uh 86 right and Clifford sto's assisted men at some school somewhere I forget where uh and he's noticing some anomalies on his Network and he realizes there there's there's somebody after months and months and months of invest investigation realizes somebody's trying to break into his network uh and then basically sets up the first honey

pot uh the bad guys break into the Honeypot steal some documents and then they trace it back to this guy in Ohio uh who of course denies all knowledge um but it's an interesting interesting story uh and if you're in the information security industry or want to be in the industry I highly recommend reading this book but again uh you have uh and also at the same time I don't have a picture of them but Bill Cheswick and Steve Bellin bellan uh were noticing a lot of attacks happening against their networks and they were talking about them um and so there was starts to become an an awareness on the internet of what's going on that people hadn't

realized before or that's starting to go on and that it isn't all peace love and understanding and collaboration and Academia and everybody loves everybody that there is other stuff that's happening that's not good that people need to be aware of that so that's all in the uh late 80s oh I guess we're still in the late ' 80s all right but remember we have the birth of the the personal computer revolution in uh what 82 83 81 was PC right IBM PC in 1981 so by 1986 uh we have the first well it's debatable whether it's the first some say it was a uh creeper virus in 1971 which hit the pdp10 some pay it was an Apple 2 virus called elk

cloner that hit in 1982 uh but the brain virus uh was one of the really first widespread viruses hit the uh PC Computing platform but within a year after the brain virus you had viruses uh on Amiga uh you had which was the sca virus which I think was the first one the Mac platform had a virus Enver a or Enver B I don't remember which one it was uh that was in 1987 uh so shortly after you have the first major virus in PC land in 1986 you have the birth of the antivirus industry so these blood suckers have been around for a very long time uh 1987 maffy F secure in ' 88 uh semantic antivirus

from mtos in ' 89 this is really the start of the industry it starts with antivirus yes we have RSA we have some computer Computing already but these people people are making money like lots of money um RSA doesn't really make a lot of money until they can sell their their logorithm to Lotus uh which is a few years I think it's right about the same time uh and they had a big fight selling it to Lotus this is where your regular user your PC home user starts to think about security and they think oh I'm going to buy this one product then I'll be all safe and gee they still do that today um but anyway

so in 1989 we also have the introduction of the worldwide web right the internet was around but of course it was all FTP and gopher and IRC and uset um most of those Protocols are basically don't exist anymore uh because they've all been replaced by HTTP um so Mosaic was announced they released in 1989 but you really didn't see the web take off until 94 93 95 that time frame but this really opened the door or to the internet to non-technical users um prior to this you really had to be know have a little bit of Arcane knowledge at least to try to configure your machine to be on the internet I mean I remember trying to set up tcpip

uh and set up IP addresses on a Mac uh you know an OS 7 uh and it just like you know you had to know subnet masks and all these crazy numbers that you had to figure out uh but the web uh Mosaic really made it simple point and click anybody can get on anybody can click stuff all right let's uh talk about a little bit more of the influences of in in the early days all right I put Loft up there I was a member of Loft um we really didn't start doing security stuff until maybe 94 or 95 Loft crack which is a product we wrote didn't come out until like 96 or 97 um and I

put it up there not to toot my own horn but it seems to have had a big bigger influence than I like to or seem to remember it having so it's added um Defcon Defcon one had 100 people it now has over 15,000 uh if you've never been to Defcon it's the largest hacker gathering in the world I recommend everybody go at least once and then never ever go again uh it's an experience and if you're if you're new to the industry or if it's you know you should go one time and same for RSA um but Defcon is important because it spawned the black hat conferences right which is actually a major conference uh in the industry uh

RSA was started in 91 uh and when it started though it was mostly about crypto it wasn't about Security in general remember uh RSA basically their only product at the time was cryptography they were selling uh different logarithms uh and so their conference was mostly about cryptography they by 93 however just two years after they first started they already expanded to be more General uh include a broader range of security and sneakers sneakers like War Games had a major impact on the people in the industry today um it was it was a very uh moving movie for myself uh and it was basically interesting to see people who are getting paid to do the things that I was doing for fun and

I think um you know I think it had somewhat of a impact on Loft as a whole as to why we sort of went a little bit commercial uh but anyway it's an important movie and impact a lot of people all right let's get back to the industry up until now like I said the information security was basically tribal knowledge it was passed from one sisted men to another it was shared on mailing list um you know if you were a assisted men you would try to find out the security problems and the the products that you were admitting but there weren't any companies selling anything right other than antiv virus um so the firewall idea the the

idea of the firewall had been floating around for a while uh but the first actual product brought to Market was developed by Marcus ROM uh and Marcus's famous quote here Dex seal was interesting because it had a part number and a manual and a corporation behind it um and so this is really one of the first non- antivirus products that you have for sale and again your beginning of your industry also uh that was followed closely by checkpoint which had firewall one and ' 93 and they still use the same logo they need some marketing people I think um yeah they need a new logo but anyway that was 93 so by 94 right you

have firewalls and internet security by Cheswick and bellan remember I already mentioned them they had been basically talking back and forth and and Publishing information uh on the internet uh populating news groups and and and mailing lists and these guys were this this this was a really important book because uh uh again it it really got people to think about security and like oh you know I really need to do something about this because I'm on the internet now and there are other people than just academics and military people here um so you know maybe I actually need to to do something uh so this was an important book and helped again motivate the industry Kevin mitnik 95 '95 was a big

year a lot of stuff happened in 95 um Satan Satan was huge was released by Dan farmer and I can't pronounce his name West venoma did I get that right close enough um it was Cutting Edge at the time but it was really just a vulnerability scanner right basic simple vulnerab scanner it had a cool name uh Security Administrative tool for analyzing networks uh press picked up on this a lot mostly because of the name I think and the fact that it was called Satan um I think people underestimate the importance of having a good name when it comes to marketing your product um it scared people Satan really scared people uh it they got threats from the

doj Department of Justice um but it was an important tool to have come out because it didn't really come out from a company right but what did come out from a company uh was verisign which was spun off from RSA uh verisign is important because they were selling uh SSL Sears right certificate IDs by 96 everyone was using ver uh excuse me verisign IDs netgate Visa AOL IBM Microsoft they all had products uh search from from veras sign of course we now know SSL is hopelessly Broken But at the time it was important 95 again Netscape Navigator comes out and it supports SSL this is what helped veras sign sell so many CS uh you have the NSF lifting its

prohibition on Commercial activity on the internet if this had never happened we wouldn't have am Amazon right because right after they did that Amazon and eBay or auction web was founded um and so now we have credit card numbers on the internet uh and if that didn't help this industry I don't know what did uh also in the late 90s we have a bunch of laws that get passed Hippa Copa dmca uh health information privacy accountability and did I spell that right there's not I can never remember if it's two P's or two A's and I know it's really bad form to get it wrong uh Copa child online privacy and protection act and digital mnium Copyright

Act and the New York Times was defaced 1999 hacking for girlies this was a I like this defacement this was awesome um has a cool graphic right that has awesome notes in the in the HTML if you read the HTML uh there was actually a message behind it it wasn't just defacement for the sake of Def facing uh really every defacement group should hire an artist I think but anyway the other things that happened in uh the late 90s was the I don't know what to really call it the worm the worm man the worm craziness because they just they just every other month you had a new one right I got a few of them up here Melissa I love you

code red nimda Blaster Sasser my Doom um and this is just a small sample like every other week it seemed like there was another big worm that was coming out that was taking down massive networks due to denial of services and and and interrupting important systems and antiv virus of course could do nothing about this because you know they're a bunch of shills uh but the these guys are important and I think I have these later on because they they force some other big companies to do some stuff and we we'll get to that another slide um Major Impact on the industry Y2K which people think Y2K that had nothing to do with security uh but the

fear over Y2K was huge and for those of you that don't remember uh Y2K was the year 200000 bug where uh software coders had uh coded a two-digit variable for 99 uh and did not or and when things flipped over in 2000 and they didn't have a four-digit variable there everything was going break and go to hell and planes were going to fall from the sky and the world was going to end and spin off into space um the whether or not the problem was real or as big as it was feared the fear was real the fear was huge um I remember in Somerville Massachusetts uh there were afraid that the the stop lights

would stop working um whether or not they actually had a date function in them or not I don't see why they would but they started putting stop signs up at every four-way intersection because they were afraid that people were going to just forget how to stop um but yeah the fear over Y2K was huge and the the the fear helped fuel the infosec industry because you had a lot of money going into technology at the time and so while people are fixing this Y2K bug they're also implementing security fixes and as a result in the early 2000s you have a plethora of Internet Security compan companies that get founded all these companies are founded between the

end of 1999 I'm sorry between 1999 and the end of 2000 and there's probably another dozen on here that I that I've forgotten about um you basically had the.com bubble and Y2K at the same time and so money was like on trees you could just like go pick it and hey I got a security company oh here's some money oh thank you um but you have to ask yourself and this is where we go back to some of the previous slides I had where did all the people come from that are running these companies right there was no security industry before you couldn't go to school and get a security degree but suddenly we've got you know a

couple hundred Security Experts that are starting companies well they're your hackers and freakers and and people who got inspired by War Games who are dialing bbs's you know 10 15 years before this uh that's where they came from those are the people that have started your industry yes Mr Potter I've been waiting for you yeah I I had a discussion with this on about from somebody and I don't remember why I put them on there but I think they were founded earlier but they got big money in 99 oh I think that's what happened I think they were around in the earlier 90s but they got like a big like series b or something in yeah

yeah yeah I so no no please so I built this I built this deck uh six months ago uh yeah that explain yeah that explains it yeah six months history changes um no and I asked a bunch of people if you if you read my Twitter which you don't obviously I asked a bunch of people who what companies they remember and somebody said ISS I'm like they didn't coment and then they gave me a big long explanation I looked it up and it it checked out so all right you can take them off you know I'll edit the slide right now I'll remove it um so yeah so uh it it was really an interesting time in

the industry um because you had at the time you had maffy you had semantic you had some of the other big antivirus companies and they were big and they still are big huge companies but they were antivirus right there weren't really a and you had uh you know uh checkpoint firewall there was a couple other companies like that that were selling security products but in 99 2000 it was like a bomb went off and boom spread security companies all over the place which is kind of what's happening today right you have the same sort of I don't want to call it a bubble because New York Times said it wasn't a bubble um but all these all the people that are

populating these companies have been around for a while uh and and they had cut their teeth on Bulet board systems uh and whatnot all right so I wonder if anybody else remembers this uh political cartoon nobody anybody this says this says Mafia boy do that help that doesn't help so uh in his name actually isn't Mafia but his real name is Michael Cal and he's from Quebec uh and in early February of 2000 uh he launched dos attacks against Amazon and eBay and Yahoo and CNN and Dell and erade and nine of the 13 DNS root servers um he he caused a lot of uh stuff to go down and become unavailable um he supposedly caused $1.2 billion in

damage global economic damages right uh and they caught him because he bragged about it on IRC so yeah don't brag about stuff on IRC um he was arrested about 15 years ago he got eight months in juvie oh and a year of probation because he was in Canada um if he was if he was in the US he would have got the electric chair but yeah um but he's been he's had a pretty successful career since then uh and he's rather well known in Canada but the importance here is that again again we're at we're in the ear we're in uh I'm sorry when was this this was 2000 so we just come off Y2K we've just

come off all this money put into the internet and these other companies and he goes and takes down half the half the internet basically um yeah he failed he should have done the whole thing but anyway uh again so we have awareness Rising again we have more money being put into security we have the industry sort of the bubble being perpetuated Beyond January 1st 2000 and of course it crashed shortly there after that uh and the industry Consolidated dramatically but also it happened in the early 2000s by January 2002 you have the trustworthy Computing memor from Bill Gates um very very important mem remember I listed all these worms uh Blaster my Doom Sasser code red uh that were coming out one

after the other after the other after the other and basically giving Microsoft a really bad amount of press uh and Bill Gates finally in January 2002 said enough we're going to change the organization of the company and security is going to become number one um and so the memo indicated a shift change with inside Microsoft uh Patch Tuesday begins three years later in July of 2005 um which was again another big momentous thing for the industry because now you have a company who's going out of its way to patch stuff it's already sold for no more addal money um other than future purchases and I think that's what Microsoft was trying to do here was

protect its future purchases as opposed to not worrying about past purchases U I think that they got an airf from some of their bigger customers saying you know look if you were not going to stand behind the stuff that we're buying maybe we're not going to buy it anymore although I don't know what else they would have bought because there really wasn't anything else bu other big thing that happened in the early 2000s uh was PCI um the payment card industry data security standard uh it really began as five separate standards um but PCI has done more to increase the basic security level of organizations than any other initiative and has created an entire sub

industry of audit right you have now entire companies whose sole job it is to do PCI audits uh and if you love doing audits hey great um find that to be boring but uh it is a very huge part of the overall information security industry uh and while it doesn't really make people secure it has raised the bar considerably so that it puts most people on this at the minimum base level um oh so I put a slide in here and I have no notes for it don't remember why I did it oh I do have notes okay um Enron and Worldcom Enron declared B 2001 World comp decare World comp declared bankruptcy in 20 July 2002 both of these

companies used massive accounting fraud uh to basically book earnings that they didn't have um and keep their stock price High um both of these directly led to the passage of the svan Oxley Act of 2002 otherwise known as socks um or the public Company accounting reform and investor protection act uh basically it says that internal controls must be assessed annually and reported to the SEC and that the CEO and CFO will be held personally responsible with jail time Hippa also has jail time for medical information um and so this sort of means that companies now have to look at security as a little bit more of an important aspect uh because uh the security controls that they have to be

have in place have to be assessed every year and again we have another sub industry of the security industry arising who are doing auditing of companies to ensure that they're in compliance with the socks uh the socks unfortunately it hasn't really done a whole lot when you look at breaches like Target Home Depo Etc uh but again we're looking at a at a bare minimum level of security compliance raising the bar a small amount and creating a sub industry of the industry all right outside influences again late 2000s the Sony BMG rootkit Scandal 2005 uh basically Sony included a piece of malware on audio CDs so when you put the audio CD into your computer it would

install this software in the background uh as sort of a form of DRM digital Rights Management to try to prevent you from copying or ripping the audio uh 22 million audio CDs uh this was on uh this is where now everybody thinks of Sony and security is that there was an anonymous attacks a couple of years ago and wiped them out attacks on Sony began 10 years ago with the Sony bm2 K people have been in and out of their Network ever since um and to think that you know it was all Korea but this is really the Sony BMG R kit was really the first indication that your vendor could introduce bad security into your

environment uh the Sandy worm 2005 Samy cam car he's actually pretty well known now guy's a pretty smart guy um I think he was uh uh he had some he had some probation I think where he's going to touch a computer for a while and now he's like defeating physical security things like open detectors on doors and St but anyway uh the Sammy war in 2005 said to be the fasting spreaded virus of all time it's really just a cross- scripting right um it flashed a message saying Sammy is my hero and then he made you his friend he massed over a million friends in less than 20 hours uh for those of you that don't remember Myspace

it was the Facebook of its day just put it it's still around I think you can still go to my spot um and crossy scripting is still one of the top 10 vulnerabilities that impact companies now um we still haven't fixed it Anonymous I don't know what to say about these guys um they were found in 2003 Target 2008 gave R to Love by 2010 Anonymous in my opinion isn't really that big of a threat um but they've scared a lot of people and they've made a lot of people spend a lot of money on security um and there are a lot of people using the anonymous name uh or operating underneath the anonymous name that aren't really

Anonymous um thing is anonymous isn't really a a group or an organization it's just a bunch of people who say hey I'm Anonymous uh and they do whatever they want LC on the other hand was an actual group with you know organizational structure and whatnot uh and Mission and it goals Anonymous is not that there are still people now today who are running around claiming to be anonymous but they don't have the same fear that they had 5 years ago um for a year or two there were a lot of companies that were really afraid that they were going to be the next Target of an h and they spent a lot of money uh trying to make sure that

didn't happen um more influences Twitter early Twitter early Twitter was awesome just typ early everything um but both of these events Twitter and bsides sort of help ferment the as Heidi was saying this morning the community of information security um and that community of course works in the industry and it's not just a few loan companies with products or individuals admins with various skills you actually have people sharing knowledge uh and communicating with each other uh because of both of these items um and I think if without Twitter and without V sides you would end up with silos of corporations uh that don't talk or communicate outside themselves uh and you would have it would still be an industry but

it wouldn't be the community-driven industry we have now then we get some of the mega breaches TJ Max Heartland um lots and lots of credit cards uh we can add I think I have them on here later but you know we have a modern day more modern day more recent breaches such as Target home Depot these massive breaches of credit cards so not only an evolution of the industry but also an evolution of the attacker they're really trying to

monetize uh has to realize that if they have something that the attacker wants they're going to have to spend some money and defend themselves uh the V Verizon DB Verizon a breach investigations report this is really a very influential report uh started in 2009 uh very boring reading but highly recommended reading for anybody in the industry um because it's based on actual data it's not marketing FL um it's a little biased I mean it's only data from Verizon customers uh and so as long as you read it with that sort of frame of mind that you're going to have that it's a subset of everybody uh and take that information that they present extract it in that way it's very very

useful and can give you a very good picture of what's going on from your attack late 2000s first publicly disclosed by Google in January 12 2010 operation Aurora uh also hit Adobe Juniper Rackspace and others um this was big because it was really the first time anybody comes out and publicly blames China for anything whether China was actually a fault who knows attribution is hard we won't get into that but this was 2010 this was 5 years ago and only now are we is it become a political issue where China is attacking and asked to stop but it was brought up as a major issue 5 years ago um but the other thing that this event did is that

led to the funding of a lot of security startups uh folks like uh deala fire ment watch dos op DNS a couple others they all basically got funding immediately after this event and so you had another round round of startups stuck stet was was big because it while it wasn't it's not an industry thing or it wasn't it was a government thing an Espionage thing um I mean it was discovered in 2010 stet was for those of you that don't know uh was targeted at Iran uh and their uranium enrichment machines and was designed to either slow the machines down or give false readings so that the scientists who were working with the machines thought they were

broken and replace them uh or basically delay their progress um and it was discovered in 0 it's still not completely understood yet uh even now in addition to stet we also found flame and a couple other ones but this was state-ofthe-art in 2005 now parts of stocket are very elegant and spelt and awesome and Beauty a beauty to behold coating wise other parts are not very cludy slapped together um but the fact that this was discovered in 2010 and you know it took a long time to develop and it was probably state-ofthe-art in 2005 you really have to wonder what governments are doing today and what type of malware and stuff are they're using now CU I I

know this isn't a one-off operation and they got discovered and said oh let's close up shop we're not doing this anymore yeah that's not happen um all right rise of the AP demand report in J February of 2013 uh another watershed moment in the industry uh we had accusations against China before uh but now we have a lot more detail 3 years later uh in the fact that uh China is much more organized than we believe that it is probably nation state sponsor uh they actually come out and identify a specific military unit uh and now we have the term AP to affect everybody's marketing materials um so as far as RSA is concerned we

still don't really know exactly what in RSA was compromised they started replacing tokens in 2011 uh after an attack on L Martin that may have been related uh and then of course soofa uh 2011 2012 PR preventing real online threats to economic creativity and death of intellectual property act they're missing some letters in there back um this resulted in massive online protests Doos attacks against supporter websites a lot of other websites that support or were against it turned their websit just black and of course the bill was defeated um Unfortunately they just keep trying and DC over and over again so now we have sisa uh which was recently passed but this sort of woke up

government and Industry that the individual or the user was not going to sit around and do nothing at least that's what they thought at the time of course get beat over the head and times and he just start covering up right so that's how they system anyway Snowden June 2013 love him or hate him like Patriot or hero or or traitor um this guy has done more to promote information security than anyone else probably in the last 5 or 10 years uh he basically gave a face to The Insider threat uh but he also fostered further distrust of government um uh and crypto standards and it really set the stage for the crypto War 2.0 which is currently being

bought wage um debated or whatever you want to use um yeah 2010 more big breaches Target Home Depot there were a couple other ones around that same time the reason these are important uh in addition to the previous ones is if this is really the first time that a CEO or CEO was fire over security issues um uh this was the second breach for Home Depot the first breach was in 2011 um and L yeah L was so like I mentioned Sony had been people have been in and out of Sony for like 10 years LC had been def facing their property left and right since 2010 uh but now suddenly it's North Korea um but these three events really they

happen so quickly uh one right after the other they really helped increase mainstream visibility um and they forc the president to say something and issue his executive orders uh and the result of course was Congress felt that they had to act and that's how we got s got also in 2010s we have the uh you know mark your calendar this was 2014 rise of the vulnerability logo some I think there was a um but this is the year that vulnerabilities got their own logos and became marketing theic right for companies that expose them you know 15 years ago when I was Finding vulnerabilities this was unheard of uh and this is really a big turn of events

at least in my mind of where what vulnerability information means uh and and what it what it what can be done with it um a lot of these bugs had been around for years they' existed in the code for 5 10 15 years and nobody saw them uh mean it kind of makes you wonder what else is out there what else is in the code that we use every single day that runs the internet that protects our credit card uh that is being exploited already and we don't even know about all right the big one OPM uh office of personnel management I don't remember how many billions of Records or zillions of Records we lost

it was a lot um this impact of this breach has not been fully felt yet it is still ongoing it is massive inside the government um I forget her name they fired her she was the head of the OPM uh no government agency wants to be the next OPM they are running super scared right now uh and you can basically walk into any agency if they have any budget they will buy whatever SC you have um it's not that easy but it seems that way sometimes um this is the Fallout from this is still being felt and will be felt for the next couple of years um and if there's another breach anywhere near their size

in the near future that's going to be very scary when we come um another sub industry I talked about vulnerabilities with logos as a result we have companies dealing with vulnerabilities again 10 years ago this would have been Unthinkable uh even dealing anything at all charging money of any sort for vulnerability information would have been was considered completely unethical 10 years later that has changed now we have bug bounties now we have people buying sell zero days uh it's an entire sub industry within the industry um this really started to gain vul uh legitimacy in 2010 with Google bug bounties uh and of course I have I don't know if you know who she is is Katie

murus she used to work at Microsoft she was very instrumental in getting Microsoft to pay pay out for bugs because prior to that prior to her efforts they were like no way we're never paying a Di and they're now one of the biggest contributors to bug bounders um she's now A C something at hacker one uh where they basically run your bug Bounty program for you um so we still have some notable holdouts in the bug Bounty Arena apple and Oracle come to mind um but this is now an entire sub industry of the information security industry like the bug bounties and the buying and selling of vulnerability information uh and it's amazing to me to

watch this come about uh and to think you know 10 12 15 years ago this would have been Unthinkable uh and my last slide which I added this week for those that you don't know I work for teral network security and we just raised a $250 million round series B um I put that in there not to pimp my company but this is the record amount Ever Raised by a security company uh previous record was uh$ 225 Million by a company called AirWatch in 2013 they were later bought by VMware um which wasn't even infoset it was a Mobility management po like this $250 million is an obene amount of money I don't see any of it

unfortunately paycheck um but the fact that the industry has got to that point where have that much money being invested in a startup uh is I see that you know we yeah we're a big startup we got like 600 people you know we're not three guys in a garage anymore but it's it's it's it's a lot of money and it really indicates it shows you where the industry has come from uh you know from that first firewall sold by debt uh with the first firewall sold by checkpoint uh and now we're 250 m $250 million for series B um it's huge am I doing time um I was gonna all right I going to go through the slide real

quick right I want to save a few minutes for uh questions um future cyber War yes I said cyber get over um cyber Espionage right uh threat intelligence which is not intelligent and I could go on a rant on that but I'm not going to uh fud fud fud fud fud there's so much fun um when I wrote this slide it was right after planes started flying sideways um so that's why that's up there Internet of Things is really going to be huge uh thankfully there's a lot of noise about it right now and I'm hoping that a lot of bers are taking are listening to that noise and developing their products appropriately but uh you

know when you have light bulbs that are going to launch attacks against your website an issue um AP on AP that's interesting because you have the DARPA cyber Grand Challenge where excuse me um I I don't remember exactly what it is but they're having an they want to have an automated system at a deathcon CTF that can defend and heal itself with no human interaction yeah next year next year right that's coming up next year like that is some scary right there um scary and good but scary because if they can defend they can also be offensive anyway that's my last slide uh anybody got questions I say four minutes for questions go please somebody

res Bruce has a question no no questions yes when are we being replaced by Insurance yeah insurance is a good point no that's a good question um insurance I think is really going to drive the industry very soon uh I didn't put anything about insurance in the slides and I probably should have but um you're definitely going to see you have cyber insurance now uh and you have or uh insurance companies who basically try to Weevil out I don't want to say Weevil cuz they wrote the they wrote the the the the contract but if you don't have all your eyes dotted and all your teeth crossed they're going to be like oh you didn't implement this one control we're

not paying you for this breach or oh uh credit free credit monitoring wasn't covered in the terms of the agreement so we're not covering the breach um but the insurance aspect is going to become big um especially with self-driving cars um yeah yeah how is SSL obviously oh is what SSL obviously broken yeah hopelessly broken there's a lot of big words around SSL being broken so I'm a little worried about going to Amazon and buying something right now yeah but you're only limited to 50 bucks what's your problem that's what I'm it's not your liability um SSL it's not SSL that's broken it's the Surs that go with the SSL and the issuing of the search right because you

uh now what was the big Scandal where Google found a SE issuing company semantic thank turns out semantic yeah of course it's semantic well they got their starting antivirus right um so yeah it's not SSL the protocol uh that's broken it's the infrastructure that surrounds it sorry if I was clear any other questions all right I don't know what the next talk is but I assume it starts here in a few minutes