Talk 9 - Vulnerable No More: Protect 3v3ryth1ng incl. 127.0.0.1 - Argy Makrygeorgou

hi guys this is rg and today we're going to talk about vulnerability i'll start with a few words about myself i'm the business development director and chief information security officer for a major greek integrator and managed service provider and i'm the membership chair of the helen chapter of ice square i'm also a published poet and a retired handheld comedy tractor now the agenda which uh i'll try to follow um is going to include the significance of liability management a few words about human firewall which is excessively important and a small episode of work-life balance story or better life work balance as it ought to be now starting from the vulnerability in them in a more generic way you only abilities

the quality or state of being exposed to the possibility of being attacked or harmed either physically or emotionally you should stick to the emotional part when we're talking about a system it's a any floor weakness in the system's core procedure control design or implementation that can be exploited so the security posture the security policy of its system can be validated when we're talking about systems of course i'm referring to any server workstation network device i have a camera ip telephony thing or anything that has an ip and can be reached by a potential intruder now i'll start off something pretty common i'm i'm talking to a to a besides crowd in any case the i can see the intrusion

kill chain you know i interact with a lot of customers and i when i'm talking to d or c level executives i i give them a glimpse of it stating that you see that vulnerability the world vulnerability and it's like vulnerable here it's referred in the step four the exploitation part but if we do something about it the the absolute truth is that we're going to impact the very step one the reconnaissance so you see here it says research identify and select of targets what i'm stressing is that having a controlled vulnerability posturing keeping your vulnerabilities vulnerability simple words as low as possible in significance and in numbers uh will prevent like um an attacker which is a random or a

semi-random attack to harm you so the aggressor will find a a weaker potential victim it's the same as bullying but even if something is really targeted again we're gonna make um the life and uh uh the effort of the aggression very very difficult by having uh at a you know a nice and neat uh public footprint so uh moving from the iksc we see that this effort to have everything in control is actually a life cycle i mean that's no news that everything in ict and cyber security is not a straight line from a to z it's not what i one time think about it's a recurring part so we really need i mean in simple words

here we're seeing six notes but in simple words we need to assess report and do something to remediate to fix either permanently or not the vulnerabilities that that we have we say remediate but i mean compensate as well so maybe there is a zero day that is out in the wild for a few hours there is no patch from the vendors yet but still maybe we can harden our ips policy or put an extra access listener modifier wall or maybe apologies for that put a web application firewall as well anything that one can do to to mitigate to mitigate an issue and again this is a process-based action like uh we need to verify this cover and again

run the drill from from start so the the main thing is that we need to do it consistently key here is to fix the important part consistently when talking about consistency of course there is a maturity model and then many of you should already know the cmm so this is a cmm approach to the vulnerability management uh i won't spend much of the time here so we really need to be proactive the you know the photograph is not optimal but the key here is proactive so we'll start from step three as a baseline we need to have something really defined and then it needs to get you know as optimized as possible now step four

the optimization is again another life cycle approach so there are levels of optimization and so on as as you see as the aggressor they are and they they become more and more agile and more dynamic the same needs to happen to your to your vulnerability management strategy and of course code cannot be excluded i mean i have uh i have a few customers running software development companies and they say rg i mean we have outsourced everything to our cloud providers to azure or aws or google and or maybe we have a a few of them around like the inter cloud approach so the the provider takes care of everything because we're we're buying we're utilizing and buying a

platform as a service but in a vast majority unfortunately they're not incorporating security controls in their sdlc so they end up identifying a few issues even even if not uh following the waterfall model and their agile they state that they're agile they run some tests at the end so they end up accepting uh an enormous residual risk or spending a lot of money and effort and money again to to fix some things before they go live so [Music] for me wasp is out there for 15 or more years there is the asvaes version 4 now it's the application security verification standard we should all target for level 2 as a baseline and you know guys if your if your

application uses critical data like financial data or personal information or sensitive information you should really target for level three even if it's not easy to fulfill the 286 controls at the moment i've seen out there a lot of very nice apps i mean people spend enormous money in the ux and ui and for marketing purposes oh my god i'm in to converge customers and then they get hacked by uh by somebody because the application is not uh is is poor it's fully written security-wise and that's the same now um this is a human firewall it's a big commodity it's sorry it's a big buzzword out there you know it's something that uh as a term started a couple of years

ago but it's it's true it's fundamental you can spend crazy money on next generation and next next generation things and then you have your user plugging in a usb device or click on a link and that's it you're pretty much apologies for the for the language but it is highly essential to train your users and as i stress and i don't stress enough sometimes and your security team i mean okay they're i.t guys or infosec guys and they they know how to uh hopefully they know how to to to check if a any mail is uh is a fraud or not or they don't use a their personal usb stick at the office but you need to have an easy response plan i

mean even if you're not abiding a framework like iso 27001 nist bimco or imo for shipping you need to have some processes around and you need to check them with along with the other stakeholders uh a few times per year and then when something happens because inevitably inevitably something will happen that's good that it wouldn't be something serious they need to reach out to the management to to marketing to legal and engage all the stakeholders so everyone involved needs to be trained now uh this is a photograph we're gonna be staying in the in the human asset part uh this is a photograph that i uh i chose uh the last minute to include it's nice because it starts from the

comfort zone as something that we were in the past and and that's true and um it refers to the stretch zone you know uh i i usually wake up quite early for uh multiple reasons and i used to uh to listen to all this uh motivational speaking and how to become a the best entrepreneur the best uh executive and they often refer to the straight zone you need to fight and fight and fight and become better and that's true but uh there are limits to it and nobody really refers to the panic zone which is what comes if you if you haven't sent your boundaries so the ultimate truth is that human assets and i'm referring to actual

people they can also be vulnerable and aspect to breaches which means that no matter how they look outside i mean they can be very functional they can laugh they kind of work with you they they can eat it's okay they can go out with for a beer with you or you know and you think that they have a a perfect life they can still be vulnerable and they can uh they can feel bad and when i'm saying they feel bad i'm talking about anxiety this is a mysterious anxiety [Music] they can be stressed they can feel like shite and that's a very important thing because uh then your next generation of firewall looks something like this

this is your edr and this is your web application firewall all your dlp so but these are just tools just instruments they are compensative measures but they don't really really remediate the problem so there are things that we should do this is a picture of myself a few years ago unfortunately this is something that i'm sure that it looks familiar to uh to a lot of you when you look yourself in the mirror every every morning and it doesn't matter you don't have to be an executive to feel like that or to be like that but uh yeah there is uh there there are ways to to turn this around so we're gonna talk about your remediation

plan here we need to to learn to say no and believe me it does have to do with poor management time management skills there are people there are people there are things that and people that we need to to say no to so that's uh that's important again establish boundaries it might you know it might look the same but it's not uh there are some lines that we should never cross regarding our uh our well-being or you know the the life work balance as i said in the start so yeah maybe don't work um 16 hours 16 hours every day for for many many years just to you know to buy a brand new car or something

uh it does worth it we should ask for help and i mean professional help yeah you can talk to your to your parents or to your better half or to a friend of yours and that's fine but professionals are out there it's um the same reason people hire us to to do a professional presentation test or vulnerability assessment or something and they don't reach out to uh for a freebie out there and uh very important uh try to build a positive relationship with your boss as long as it can happen if not maybe you can change your boss you know now is a good time to refer to the footer of the presentation it says the first time is a

mistake second time and obviously every other time on top of it is a choice so uh racing to the end thank you everyone stay safe security wise and mentally sane and i'll talk to you when i see you around thanks emily [Music]