BSides Glasgow 2018 - Vicky Walberg - Diversity In Infosec (Not That Sort!)

so welcome to talk on diversity and Pasic my name is Victor Wahlberg a lot of people probably know me as Vicki Jo online I also run my own consultancy which is logically so today's talk is going to be a talk in two parts part one I'll use the OSI 7 layer model as a talking point for diverse areas of work and research showed areas of concern across the empathetic spectrum part two is rock-style semesters plumbers and I'll talk about work their enterprise security people do across the layers and how this relates to rockstar researchers and security versus compliance so with both parts of unfried a broad overview for people new to or thinking about entering the industry and also to those

have been more focused in specific specific areas of work or research so pop one so I go to various cons and meetups some can be quite siloed so there's a more techie ones lights b-side so insomniac and they tend to focus on things like malware and pen testing or research and things like the OS meetups software development lifecycle dev SEC ups and then I go to the ICD squared meetups as well and they're more regulation policy and enterprise and it can feel quite tribal at times so for those not familiar with the OSI model up there on the screen across on the right-hand side you've also got the tcp/ip model so certain things don't fit

in its neatly into the outside layer model if you'd like when we talk about those so I am going to play with terminology it's not going to be strict [Music] at all and I'm going to broaden the scope so I'm going to be taking a few liberties so my background is network engineers whose admin long time ago I've done a lot of roles where I've had to do a bit of everything and in some ways things have changed there's been an evolution of tech in general and today rolls a lot more focused so there's a larger variety of roles and technologies and there are lots of things that exist now that didn't when I started and lots of things

that have gone away more recently solaris but as a when I'm working as a security manager or a consultant I have to think about all these layers and beyond so the last time I gave this presentation I did switch things around a bit and I started with the day Slayer and because I think that's the key thing that people are trying to protect his data but I will go back and start with physical this time so in terms of things like threats you've got things like in the enterprise you've got theft and lasts and fire and floods and the disaster recovery type things a lot of governance risk compliance people think about and in terms of other physical attacks you've

got people trying to have a unauthorized access to physical locations or to data and perhaps using a physical me it means like USB drives in the research nation state space you've got things like tapping there's been a lot of controversy lately about the tapping of density cables and new attacks like ro hammer involving a bit flipping and using the capacitors for doing that over on the data side of things so data in the enterprise are the crown jewels they're always seen as that so you've got intellectual property you've got trade secrets you've got HR data you've got Finance payment processing you've got all that sales and marketing data things that help support business and now with social networks you've also got

a lot of personal data being collected and that's now being used and also government networks having a lot of data about people and that person data can be used for manipulation of the person and that might be things like as we've heard recently and for things like blackmail or extortion so that's one of the reasons that people are looking for data is this manipulation of people but also aside from the day-to-day running of the business that a business needs data for and making money you've got criminals who are wanting to also make money and so you've got this issue with politics corporate espionage and the loss of it all boils down to financial data things like

blackmail for political gain and we've got to think about how we defend that data so a lot of that comes from governance things like GDP are which is coming in to help regulator regulate the data things like the ISO 27001 series and that's not just is MS and the 27001 which lots of people have heard heard about but there's a lot of other standards within that series right down to even ISO 27000 39 selection deployment and operations of intrusion detection systems they can be quite specific on the technology with those types of standards and there's also other regulatory controls around data and data processing in certain industries such as finance and so love the work that people do in empro sector

and providing support and technical controls to support business or regulatory aims so in terms of threats for that for that data you've got data leakage and we've heard a lot of instances of data breaches more recently potentially the one with TSB allegedly and it might be for a variety of technical and non-technical reasons might be failure for access controls for one but the loss of that data can have bad knock-on consequences not just to the business but also to individuals with things like identity theft and there's the financial impacts and losses for for businesses and even in the public there's the fines that can be imposed on those public sector institutions but in a true osai sense for data you've got

attacks that include MAC address and ARP spoofing with a potential loss for confidentiality or integrity and it could lead to session hijacking you've got things like IP pool DHCP starvation affecting availability spanning tree VLAN hopping so there are things at the data layer technically as well so in terms of protecting data I think for defense of it you've got to look at defense in depth and take more than one control order or design to help defend that data so it's not just things at the data layer that you can do to protect that data but it's across all the layers particularly the application layer so net whaler yeah I did put a people you map in terms of threats in in the OSI

sense you've got things like ping of death and routing and packet sniffing and IP spoofing and that's often indicators of people trying to get a foothold or gather data to be used elsewhere in terms of defenses at the network level you've got things like firewalls and access controls authentication and decryption might but mitigate some attacks such as packet sniffing so those are sorts of things that a lot of network engineers or security network engineers as they tend to go by now help prevent the transport layer and so with TCP traffic in this way you've got a bit of a difference between the OSI and the TCP layer and connections are established about the transport layer so in terms of

injections that's where you've got your man in middle attacks so things like a Mitnick attack and a against that sort of thing is an issue sequence number needs to be very long or very difficult to predict and you've got other things such as syn flooding and up dark attacks and you can use things like simple keys and non sirs to help mitigate those texts as well there's a lot of information on that that link where I think that's 129 pages of slides just on transport their attacks and defense for those of you interested so social and presentation layers that's mainly things like NetBIOS and sip an RPC presentation and session layers again people trying to access data so

you've got firewalls and patching and TLS can help mitigate those types of attacks so TLS is very broad and goes across a number of OSI layers and it is a good way to defend a number of different attacks of certification layer you've got things like XSS and sequel injection attacks and the things that a lot of people here probably a bit more familiar with so in terms of offense this layer it's people using security scanning tools people doing on official pen testing malware and ransomware creators using vulnerabilities to attacker this layer and some of that some of these vulnerabilities there's a lack of design or it's a Mis configuration so what mistakes with the design as well seeing it with

particularly applications this perhaps lack of process as part of their design and development so lack of risk modeling sometimes it's down to develop problems such as lack of awareness good coding or making a mistake and also sometimes a lack of testing that testing could have caught some of the vulnerabilities in applications so in terms of defending laughs I'd recommend robust desiring implementation change control processes so all the GRC side of things that help support the interesting work that design as a developer's day and there's also some more sort of publicly accessible or public good defenses where you've got the like sort of legal project zero doing a lot of work and finding some really interesting and in-depth problems

and helping to alert and mitigate those but I'd certainly recommend following the OWASP top 10 so layer 8 not really an OSI layer but it's generally referred to which is the people where and some of the threats around there so misunderstandings and accidents where there's no malicious intent that somebody might do something like accidentally delete data accidentally release state we've heard of instances of people sending data have been encrypted out and that's sometimes where the ICS leverage finds it's also things like users receiving an email and not realizing it contains a virus so in people in terms of people capitalizing on on that you've got things like social engineering it's in lots of interesting talks around social engineering people

gaining access to buildings where they shouldn't and then they can start to implement more technical threats once they've all passed the physical controls in place would also things like bribery and blackmail there was an interesting say study where somebody they was stood in a train station and they were offering chocolate in exchange for passwords and so it does happen so in terms of preventative measures for people it's things like doing background checks a lot of employers do that and check whether they're vulnerable to bribery or blackmail having things like physical security of society and then in terms of technical measures it could be basic things like having antivirus I know some people say they don't think antivirus needs to anymore

but I'm strong believer in it because it can help these more these attacks where it's hard for people to spark things that have slipped through the net backups can help in the instances where where there's big data accidental is least data solution or things like malware have or ransomware have happened and corrupted the data and other technical measures like multi-factor authentication to ensure that it's your users that are accessing the data that they should an education and training are a large part of that so helping users on how they can detect problems guidance and reporting and having good company culture to encourage that reporting rather than blaming when mistakes have been made so move on to

Part C and say diversity of the skills gap book stars versus plumbers so as mentioned earlier I go to quest lots of conferences so this is my second time talking at a security conference and sometimes people ask why don't tend to talk because I feel I don't do cool stuff you know blue team through and through I don't do exciting or interesting research just tend to sort of graft and also most enterprise apps or consultants can't talk about their day to day work as it can present a risk both security and reputation all to their employer or clients and so at times when I go to a tech conference and feel the reaction from from some might be a bit kind of I'm a

bit enterprising and and then I can go to some enterprise security events and the responses a bit more but to be fair this isn't the case for everyone and there are lots of great people in on faceook and I found it a really welcoming community of people and but I'm hoping that this talk to hopefully make it a little bit less a tribal and so on things is that there are great techies within typical enterprise organizations and there are also lots of researchers and sharing their knowledge and time at events like this and others so enterprise security can be very broad it could be everything from securing securing your physical environment meeting service SL A's managing risk

applying controls vulnerability management raising awareness getting am attaining compliance governance instant crisis management detection recourse analysis systems apps patching you know it's a really long list that's from Utah State and that's fairly old now but that's their overview of their enterprise information security program and you can see there were lots of different areas and when you start to add in online services to that it becomes even more complex and that might be things like e-commerce and marketing support business working with all these new digital companies or directly with developers hosting SAS and then we're starting to see a trend of digital apps Internet of Things with brands trying to be in it Aviv so enterprise work it's

not sexy work but it's important so how does this relate to security researchers including pen testers and the type of people you see speaking at more technical offenses are in the media so depends upon security researchers whether that's people in reversing working Phantom virus companies or msps or even exposing major security vulnerabilities which highlights the risks such as using certain service providers like with clarify a flare issue or the importance of patching like with heartbleed or even how difficult it can be to have secured by design with specs from meltdown your customers are not you they don't think like you they don't do the things that you do they don't have your expectations or assumptions if they did they wouldn't

be your customers they feel your competitors so people in enterprise security have different priorities they're there to support to business and they have different challenges to researchers they might not have the support from the business to do the right thing whatsoever that might be that might be getting patching in or secure by design or hiring better coders security teams want to have a good Network and application security and researchers help keep enterprises safe through the products and services that they offer and when the vulnerabilities that they find and our expertise can help secure more support from the business for the work that we do which brings me on to compliance so it's not only exposing vulnerabilities that can

help enterprise security ferret game supports in the business compliance programs can also help them to I know there are lots of different opinions on security versus compliance I think everyone is agreement here with telus that compliance does not equal security but I do share the view of red spin that there is overlap so the compliance standards like the ISO 27000 series and PCI DSS require some of the basics such as patching and user management to carried out and is getting the the basics rights rather than shiny blinky boxes and the help most organizations stay secure so for research sometimes products such as antivirus and services and sock and pen testing and that they offer their deployed and the only reason

they get they're being brought into in an organization is because there are Deering T's compliance standards such as PCI DSS so my advice to enterprise security people and those in the GRC space is if you meet someone who isn't suited and booted or look how you think they should please don't write them off as some weirdly who doesn't understand business or enterprise or GRC don't be an enterprise Rockstar and dismiss lowly tech work all that it's for kids so why go to tech events outside your day to day work what value does it bring so for me things like keeping tech skills sharp it's for things like gaining insight and understanding into emerging threats and

how this relates to your environment and it helps about you're thinking about your risk models and keeping those at state as risk models do change over time it also gives you sense of the work and effort that goes into security products and services I know a lot of technical researchers and pen testers work very very hard it also helps you evaluate and why you might consider one product or service over another so depending on your organization where you can't run it all in-house and why there are certain things that you'll outsource it can also help tune your snake oil sensor I'm the other thing I think is that learning something new can be fun and

interesting it could even pique your interest and leads to a change in focus or role so my advice to researches is if you meet an enterprise security compliance person at a tech conference please don't write them off they might have they may have more tech skills than you realize and there are some especially at the very large companies who have some very very technical people working for them and the fact that somebody's there at a conference shows they're interested in learning the other thing to remember is there's no magic money free so unless you're in a very privileged position to be an independent security researcher the chances are you're in academia possibly self-funded or being

comparatively underpaid and may look for private sector work in future so the people you may be speaking to you might be your future employer or you're working for a company offering security services whether that's as a solo pentest if hyeri or part of a large consultancy or MSSP and your salary is funded by enterprise security teams buying something your company offers whether that's a product you're involved in developing or skill or service that you're offering and it also gives you an opportunity to meet your users and customers but my advice to all is whatever type of in for second you are in the world's words of Wil Wheaton stay be at it okay and questions so I've gone

through that quite greatly any questions

yeah I think I'm tending to find it's happening a lot more with the b-sides so I think some b-sides in the past particularly when they've been a first edition and they've been getting the organizers have been getting people that they know to pitch in talks sometimes resulted in that particularly sides being quite focused so I am seeing a lot more diversity as things like these types of events have gone on I think it is about expanding the network people expanding their networks and saying and having that understanding that people do do different roles and then it might be interesting to have you know more technical speaker at a GRC event and vice versa so that's probably it I'm

quite curious as to sort of how diverse this audience is in terms of split between people who were kind of students or researchers or pen testers or GRC surfers to say how many people here would consider themselves enterprise security or GRC okay that's good that's awesome and in terms of pen testers techie researchers oh that's a joke I suspect they're all at the other talk which I know is about a burp suite extension so any other questions early