Closing Keynote

appreciated not only I think my band on airlines I'm not allowed in the U.S stock exchange I think I'm still banned from France as well um a couple of other countries it's good fun I mean it's good fun we are recording this aren't we yes I'm in the UK the FBI can't get the evidence it's even better yeah some [ __ ] fun all right so standard normal disclosures with any kind of uh any kind of presentation I give um yeah we're gonna have a little bit of fun with this one I'm Gonna Keep it nice and simple um how do you set up up front boom supersonic I'm also a researcher uh I still keep a fairly technical mind and

we're going to talk a little bit about some stuff in there I'm a father primarily these days to Great Danes I have three Great Danes and they're pretty amazing I'm still a geek and I am a hacker I've been for many years still I am and get annoyed with everybody in marketing and sales who blames us for crying out loud all right quick agenda I've got what 25 30 minutes we have 60 slides so if you raise back we're gonna have some fun with us so we're gonna be nice I'm going to start off nice and friendly we'll be civilizing all this kind of good stuff then we're gonna have a conversation about why we have to have this

conversation uh set the scene have some fun with this a little bit of annoyance for the industry uh we're gonna blame a few people including us and we'll go from there so let's start with the Civil Rights everybody gets a pat on the back we've got to be nice with everybody at the moment because in more cases than not you have all of you kicked the boxes not only have you tick the boxes you've been listening to people here you've integrated your security teams efficiently into your organization do you pass your audits you have put the tick in the Box congratulations you might even have good security people and you use SFTP which means you feel good about yourselves

nice warm fuzzy and good everybody's put the thing in the Box the audience is happy we can let them lose for another 12 months now as everybody knows when a bunny goes up on the screen shit's about to get real so [Applause] this is reality Hollywood's fantastic this morning she gave you a nice intro I'm not as nice this really is reality and this is reality because as our industry and these slides are available take pictures or they're available hit me up on linked and I'll get a map we need to have this talk unfortunately because there's an industry we've failed so many I made a point in there earlier on that we have one job

one single job in this industry if you're coming into this industry or you are here or you've got gray in this industry we have one job only to protect those around us now very nice gentleman up front that's got a red lanyard on him stood up front and explained exactly how as a country we have to protect ourselves there's some decisions that have to be made that are not nuts that's life I'll be bluntzer we have been at war in the digital realm for the best part of 20 to 30 years shit's not getting any easier we also have to have this talk because there's an industry we pray on those that fail I come from a country of ambulance

chases now Cyprus which is where I was born and not England or Scotland where my parents came from but I'm based in America land and good Gods today ambulance yes this is our industry how many of you that have been part of a breach within 10 minutes of it just being disclosed get the vendors going hey I could have saved you from that pain and suffering because I have the solution that's a hundred percent safe

why do we know that we're screwed because those of you that run a pen testing organization or have had organizations don't have enough bandwidth to take on more bloody clients because you're all dealing with ransomware you're all dealing with clients to get their ass handed to them so why have we failed so badly and so inefficiently in this one and why do we not still think because so many people go well everything okay what's going on what's Happening well there's some fairly simple statistics globally and so take this out of a digital context and put this in a human context I'm six foot three I'm large and I'm hairy if you take 197 days to find me in your

house

I pee in the potted plants I chased the cat around the place I try to feed them to the dogs and then when you found my sorry ass in your house it takes you another 70 days to get rid of me I they this is reality we are where we are in the digital Realm 83 and that's actually a low number targeted by fishing attacks I said it this morning and there's been other talks about here about how for me human perspective we fail why because you keep buying more [ __ ] technology we're losing this one pisses me off 22 million records and the record is it could be a trading card it could be a

social security number it could be National Insurance number sorry one country it could be payroll information any of this stuff that's a record globally 20. I'm on stage for what 30 minutes in that time we're going to lose another half a million records globally sucks and this one I'm not yelling at you I'm gonna let him yell at you 77 of organizations don't have an incident response plan that shit's not hard you can download it I'm pretty sure the British government people have got nice defaults that if not list has got a bunch ran I was in Boston last week we ran three tabletop exercises inside 45 minutes and we killed people the shits and

giggles while we were doing it the first one was simple hey let's kill somebody off right what do you do how do you recover next your Cloud went away how do you recover third one I'll take your computer from you what are you doing to recover simple easy things cable club exercise done 77 don't have an instant response company our industry oh man we're kicking ass like seriously six trillion dollars you will take a bit globally is going to be the effect and yet we are still making money hand over fist the finance industry which has been around for several thousand years has made just over 300 and something odd billionaires the it and infosec industry has been

around 13 20 34 years we are only several billionaires behind that so you can't protect people we spend more money and we're missing billionaires faster than everybody else something's not right so you know I'm just gonna say this about where we're at at the moment now as was pointed out Holly said AI will save us because you know according to most of the vendors it's absolutely this is how good AI is so part of my job over in the US is there are companies that come to the US government and go and the US military go hey we've got this [ __ ] great AI thing and I'm like challenge accepted my job is to make adversarial Ai and we

did this one this is a fantastic one we modified literally a couple of pixels and turned the analysis of a pig into an airline so it's quite simple adversarial intelligence you can make pigs for life

I also heard the conversation about chains so I left this one this is where it gets interesting as well because we try to also look at us and be a focus about us but we tend to unfortunately miss the supply chain we miss the vendors we miss the third parties we miss part of a global economy as an attacker the chances of me walking up to your front door and going these days and coming in are pretty limited I'm gonna take you out on your supply chain let's face it toilet rolls brought to the entire Western economy to its knees that isn't hard I was in a maritime conference a couple of weeks ago and we literally

demonstrated how to turn over and I I say that in Saudi in November and I had three of the aramco uh three of the aramco oil tankers up on screen and we pivoted in from the vsat systems gotten in through nav and done some other things and I'm sitting on basically the ballast control system and as was pointed out eloquently by my colleague I'm pretty good at making [ __ ] go left this time I'm like hey can I turn it upside down and they were like no I'm like so I ended up hacking his excellencies camels instead that was fun and so it is all about us and it's not necessarily about the weakest link

because that is another one of those fallacies and especially when we blame people that pisses me off too this day and age more likely to be taken out by a supply chain attack of the body on that side of it so what are we doing about it we have all these challenges we have all these issues what are we doing well um this is what some people are doing now this is why we have interns because you get to sacrifice one every now and again for those of you that like to recognize this this is that one computer you have in the back of the closet you don't know what the hell it does but if you turn it

off the lights in London start to flick up that's what some people are think other people are doing this um which is working out really well for them and this is the other one that drives me nuts we as an industry I'll put my hand up I used to blame my grandmother for things for crying out loud we're really good at blaming everybody else but what we're not good at doing is looking in the mirror come on you say he's sitting down and he doesn't have the microphone on you could no apology you just missed half of it it's all right screw you [Applause] we're good at blaming everybody else and we're not good at taking them ourselves

the other Challenge on this one as well pen testers are going to recognize this one yeah let's go that conversation that we need to have not just with ourselves with the business and with the organization to help them understand what is or more is not Instagram attacking your development system isn't great if I leave you production is fine lust so we need to change pretty obvious pretty simple and I Look to us as leadership in the industry to go how do we affect change and I Look to everybody here who's coming into the industry to go you are the change that we need so let's start with what do we need to change that's simple let's stop the [ __ ]

let's stop fooling ourselves let's stop fooling others and by that I assume you may need to take accountability when was the last time you sat down with a vendor and a partner and said hey when things go wrong are you right next to me or are you stabbing me in the back when was the last time we sat down and had a conversation whether we've been testing assessment accountability any of that kind of stuff and said hey I will hold myself and I will hold you accountable for this I'm gonna work with you only if I can see change and I can see things fixed when was the last time we ever held each other accountable

this one's a biggie yeah Away by this is where we have to hold our own industry the sales the marketing the organizations the csos because it takes both sides it isn't just all the vendors problems us inside the industry have a problem as well we all have to come together and realize that whole little hundred percent safe and secure and yes I took most of those off of the vendor website got to change some of this this one's a nice one as well we're really good at standing up and explaining what the challenges are but we're not going to listeners and sitting down and when the business says what they say you don't necessarily listen as

efficiently or as effectively as we could we don't take good notes we don't work with the businesses as well as we should do or we should which is why we have this one we have two years and one now we need to use them in that ratio military thing whatever else you want to look at it consultant thing sometimes you do sit up shut up and just listen to what everybody else has to say says the guy doing all the talking in the front he's coming out the irony and this is part of the reason why and this comes back to these human conversations the number of people have had them as an attacker as an adversary as

somebody who spends half of his life having conversations with how I'm about to take all of your data from you this is how easy it is this screen I put in front of boards because this is all it takes now the challenge we have with this is from an educational standpoint how many of you are part of or run or involved in like the education of your users and awareness training anybody okay what is it once a year once a quarter how many of you do it once a month or once a week now I live in America land okay in England we have this thing called Purple pray properly to be freaking feet in a

circular ball 45 45 minutes in each Direction okay and you don't really stop for very much apart from those wonderful Swan dice in America land they play something called football as well except he's played with an egg-shaped ball and the game that should last one hour lasts three to four hours because they can't concentrate for more than 10 to 15 seconds so when you stand up in front of your company and you say hey don't click [ __ ] oh and cinch it and do this awareness training program which is probably the same one you did last year by the way which you already probably have the answers to and you do it once a year

and you expect people to remember it for another 364 days in this country you might get away with it but in the US you screwed off the late 12 hours so that whole idea about user education user training user awareness this is not a one and done this is continual awareness training we do it at work we do it basically every couple of weeks we run something out and we don't try to fool people doing an awareness fishing to try to see where your Baseline is is an [ __ ] move pooling people is [ __ ] train them teach them educate them work with them help them understand it in all the various different ways it should be done

and then maybe test them but tell them you're gonna test them don't be the [ __ ] an event I missed me let's move on now I have a squirrel mother how are we doing time like I'm in good shape I'm a kind of ish we're gonna screw them on so this was what I was oh that's me touching the stupid thing sorry I this comes back to so I I still do research and I have some fun I was actually going to do a whole talk on this but I'm like no we're gonna have some trouble we're gonna mess around with this first so we're doing a squirrel moment some of the latest research I've done has been on light

bulbs so years ago and this is this comes down to this whole idea of you have no barriers you have no walls anything that you have can be breached broken into taken and everything else this comes down to some very simple things that you need to do as a anybody inside an organization understanding the assets understanding of the data because it really comes down to the fact it is not if something happens it is when something happens and quite often feel like oh no we're immune we have all these controls and I'm gonna go no you don't [ __ ] then I'm gonna prove it so light bulbs I like light bulbs years ago I did a whole bunch of work and a whole

bunch of research on light bulbs because we were basically pulling sound off of them they were really good listening devices and they were good listening devices because you know the last 10 or 11 years we've had the iPhone as a listening device let's face it now years ago we started looking at using lasers and we looked at sound and we looked at some other things because light bulbs traditional light bulbs were really really fun things you've got electropical sensors safety lamp phone type attack on them and then there's laser slice and glass vibrations if it's not well known rather do some research on them they're absolutely fantastic things you can use as a listening device you have to typically

have line of sight to them or any of this kind of stuff the reason I looked at it is because well there's actually everywhere and I'm like hey I need a listing device so I'm like how do I get a listening device how do I prove to a company that I can take them out no matter what how can I prove to an organization that no matter the controls they have or everything else so they have I can attack them through different methods and we'll have that conversation now this is great but Technology's moved on technology has moved on to these sorting things you can't shine a laser of these buggers and there's lots of them

lots and lots of them but the nice thing about them despite the fact there's all these different ones that you can buy and they all use relatively common relatively similar types of Technology not only do they use those types of Technology but you combined without things and you can take these pieces so for those of you that are looking can do different research and different things out there and don't know how to get started in this industry or want to give a talk go buy some electronics and take the stuff to pieces welcome to hacking 101 for me I took light bulbs to pieces and I'm like huh and you take the top of the top left on the table light bulb

pieces you basically have this nice internal circuit board take a look at the circuit board there's actually a wireless board that's attached to it it's a golden board that's okay I can take that door to selfie board to pieces and I can take a look and I can see what's on that broad surf report and there's two specific chips on there and I actually have one of them I think in one of the what is it the 5159 shape on there and we did a bunch of research on that one and a bunch of research on another chip and said huh there's only two places that manufacture those two chips for wireless and for Bluetooth LE and a couple of

other things and we're like I wonder if we can go buy some so we did maybe they're pin ends and pin ads and we figured out that we could get to the firmware and I'm like what else can you do to this thing and the nice thing about people in manufacturing is they don't want to have to build and buy more things they can basically cover everything together kind of late source code that you use these days how many of you write your own code versus how many of you glue codes together from all the GitHub Labs same thing up here so we figured out the two chips that we could actually use to implement

Bluetooth and a few other things then we realized that there's a recording module because provider number one didn't want to have to make two different boards so they made one board that had audio capability and one board that just had the firmware change differently so we changed the firmware back we shouldn't do this and then because the firmware I provided was like well we're in the supply chain nobody's ever wondered about us we've decided to update their FTP server

no certificate no secondary Authentication nothing else in place so there's now some firmware sitting on here with a smiley face both in the simple code the smiley face comments out exactly what we can do which is basically enable audio on every single one of these things now we commented it out everybody left it in a few places as well and now it's in manufacturing so we have the code that actually enables this and we can replay the attack on this and send all of the passive light bulbs into active levels so now we have Digital Light Bulb capabilities and their Manufacturing so now we have to have the conversation awareness now we have to come to have the

conversation about access control and Supply chains and attack vectors as you look at the organizations you're responsible for and as you look at the organizations that are around you start looking at where those attack vectors might be start looking at the supply chain start asking the questions take a step back and look at devsecops which let's face it is nothing more than collaboration with a fancy new name and go how do we work with the development teams so that Chris can't do that in the future and all the other stuff that goes around that one all right scroll moment over if anybody wants the code for the light bulbs let me know not sure I'll hand it over but you get

the idea so let's talk about soft skills because we've talked about the humans so let's talk about this one we had a little bit of fun in there with all the recruitment stuff and we thought about communication we talked about cooperation coordination collaboration these are as if not more important than your ability to code and program and Pen test and do an assessment because as you know you can go break into [ __ ] but if you can't actually communicate what you've done how you did it it's going to be pretty useless but we also need to take a different approach how many pen testers do we have in here all right this is for you

let's think about this for a second you're a company normal organization I am a large citibility Harry pentester knock on your door oh I'm here to penetrate you not only am I here to penetrate you but I I brought Cali the goddess of death and destruction with me and I bought pineapples and ponies and you're like [ __ ] where's the loot this language that we use is not only offensive and abrupt it is not communicated and it is not collaborative why not walk up to the organization and go hey we need to have a conversation about cyber security we need to have a conversation about Ritz about probability how about we sit down I got

the tea and biscuits or coffee apparently is more prevalent as well as the country why don't we maybe play a game now as we all know when we play a game somebody's going to get eaten by the group it's just gonna happen but you do it in a collaborative way you do it like talking with people you do it in their language somebody made a comment earlier about the amount of freaking acronyms in this industry oh hell yeah I think it's like second only to the military as far as acronyms goes but we might be getting worse because the Elder marketing people are making you [ __ ] up we can't do that we can't afford to do

that anymore we are losing this battle and it ain't pretty we have to figure out how to talk to people more efficiently and more effectively in a way that they understand not necessarily in a way that we're more comfortable with we also have to be willing to ask more questions when the vendor turns on goes hey I've got this really good AIML model you're like huh I've got 15 questions to ask you sit down shut up and pin your ears back if you don't have the question I have them for you there aren't LinkedIn somewhere I'll put them out again it's the same thing when somebody's like hey I got an MSP I've got this I got AI I've

got any of this get more questions out there plus it isn't just our problem we have to be willing to sit down with the network team with the firewall team with the development teams with the dbas pbas are a bit weird the kind of smell that sit in the corner of the dock but you know what bring them into the hallway once in a while give them a bit of a scrub down there find people the other thing we have to share this is a community okay you might not openly be allowed to share some of the problems that are going on that's why signal was invented okay talk to the peers and people around

you you can't maybe use circumstances or suspect you know what you can show yourself pick up the phone and say hey we just ran into an issue with a b and c do me a favor I know you're running it double check it out and go from there okay a little bit of sneak in that a little bit of conversation between you this is a community collaborate please and especially you know understand your surroundings very much so that one this this came out of my world observe or in decide and act we have to know and understand our surroundings we have to understand who and what is around us internal external of a whole lot

our decision architecture needs to be more efficient and more effective and then we do need to act upon it how many to choose pretty wisely again back to those vendor questions every vendor is going to tell you this is what this often not looks like this is reality let's face it remember that whole single paneer glass thing yeah really good isn't it OCD overload and let's face it are you really going to buy information security from this person okay it's all about the people at more questions at the crying out loud we need to stop buying the Blankenship okay we need to stop buying the blanky [ __ ] it's white and this is like again I

talked about this a little bit earlier but I'm going to go into a little bit more depth you're in an organization in a leadership role you do not have the right to open the checkbook by any Blinky [ __ ] until you figure that out if you can't tell me what assets you have in the physical and digital world you don't get to buy any more toys because how can you protect what you don't know how can you honestly stand in front of anybody and say I've got you covered when you don't even know what you have not only what you have but where the hell are they and who's using them who's got access to them what the hell are

they doing what should they be doing those might be two very different sets of conversations to have what's on them useful conversation you don't get to go do other things until you have these basic simple things sorted okay and by the way this is where you can go get your new people in you can bring interns in them and give them pencils and give them paper and get them to go camp assets those that can come accurately can transition from a pencil to a pen okay and then we now have progress but you want to figure out how to bring people into this industry work on this hey I need a bunch of folks come in help

me understand where my Basics are and then when you've understood where my Basics are help me understand what the hell's on them or what the heck we do with regards so this isn't hard to do because well that's my asset actually that's the old picture I just realized uh the new one looks different though I think it's on the front page my job of Boom is to look after that and make sure that gets off the ground but as soon as I have to look after the people and the location and the systems and the Avionics the buildings etc etc etc let alone the stuff I do inside the insole community and let alone the other secrets that

we're getting involved with and here's the one for all of you yeah you knew I had to put him up there this is the challenge and this is a simple message to take back to the business as the late sir Terry million to one problem nine times out of ten do not be going through an incident looking through the a through z or the Yellow Pages one then who you can call upon free of Henderson so opposing form on here because I'm getting out of here about two slides that one I'm going to ignore this is what I'm going to do we've all come at this from different directions every single one of us are guarantee it

we'll look at this through a slightly different lens but we're sure as hell all in the same boat every single one of us we're in this fight together we have a lot of work to do so as nice as I can put it lead from the front you are all here as part of the community to affect change every single one of you has the opportunity to do that every single one of you can make that choice so please do so and with that I'm going to shut up and say thank you very much it was an absolute pleasure