Everything I know about security I learnt from Zombie films by Jay George

yeah welcome to the last concert yeah last i4d in the vent hole oh good Jesus talk about an introduction to information secure so where did I wake up this afternoon so I realize it's the end of what spots are pretty long and vain it's only the keynote are after after this so it kind of falls to me to list all your spirits at at some point and end on something a bit of a lighter note and some of the technical tools you've had so my name is Jay and if there's one thing I love more than information security it's the undead and I particularly love seeing them eat grisly ends and all sorts of interesting creative ways

implying providing us with some sort of lessons about information security along along the way before we get started a little warning though this talk will feature graphic depictions of decapitation disembowelment and of course brains it will not feature fluffy bunnies unless of course they're being decapitated disemboweled or having their brains eaten by the undead so if seeing brains get spattered by a group of gung-ho zombie Holocaust survivors isn't your thing suggest you find your safe space now oh there may be dull swearword as well - hey you know if you have young Ben coming towards you trying to eat your brain if you say probably little bit more than oops all right then let's get messy there's some people

sheltered we're fulfilled with climbing trees making dens and running around their friends playing cowboys and Indians but it would eat each other I spent my youth cover themselves in green paint walking around with a fake em limb controlling the fence faces off probably sounds like a normal childhood in Wales to you but mine was more due to my love of zombie films a very early age thought to the coming under pocalypse pretty clearly stuttering ate mold so while most of my childhood friends through indirect growth of the astronauts or Simon are dreamed of a world chock full of cool ways to kill zombies so far for two-thirds hunger time and it seems the security world is

borrowing terms the films of my now we talk about max DDoS attacks by zombicide computers and things like the epidemic is spreading so is anyone though we use easily understood terms like that when the security world is full of confusing jargon like this I mean anyone would think all these slang and acronyms were to stop him from getting involved in security at all instead of fostering the idea that security is everyone's responsibility really I mean try talking to a local thankfully businesses about penetration testing and you can get raised eyebrows [ __ ] from some rather than look of concern engagement than you really want to house lots of people looking to break into the world affairs security as a job

is sometimes feel like a bit of a closed shop where the inside to keep their knowledge to themselves and get up to speed on some of the concepts can be a little bit tricky at times now if there's one thing that is easy to understand survival so have a little look into the world of zombie films and some of the pauses lessons they can offer us start with some of the basic tenets of network security

I'm never seen an infection and I get you something like a glass of water Anna Anna

anyone know one name not in vain

[Music]

[Music] classic kill sale you who wonders who I'm start with there and I don't me making sure you've got a handy fire poker lying around all times you're going to survive past the first thing in the under few future or managing corporate networks some kind you reach it enforce quality and segregation control to every opportunity the Academy let's be honest that woman looked pretty ill yeah and then she was lying in the middle of a room with lots of perfectly healthy definitely not dead people to I mean I'll to make sure she could have come in with that this a case of severe sniffles and a really bad Sun bed job but the consequences could have been considering

more serious there's which I've inspected opt was around Sony maybe they thought of locking her away observing her for a while can add some tests before letting them mix into gen-pop then the emergency fire poker treatment would have been needed after all and it should be the same when you considered allowing data to enter your networks to all data to be screened before being landed in fact the Yukon control which means email attachments things download from the web and theta said to you by your customers your clients and your business partners to and if you can't be sure whether it's safe then really to quarantine it until some some someone else can and extends a separating your

network into zones of trust to me you're the big red infinite pie Odo's on the right there I prefer to call it the Wild West you know and those people shouldn't aspire to connect ins your networks and be able to do anything on your systems and services that they am like am I having public-facing web servers that have some particular services running on on the water lives and get through through to those you only live in segregated behind a firewall to so people can't get straight the crown jewels when you've got your databases of your financial data sits sitting on that wireless network to know there's the old additive cannot throw in the network cables out of the window really anyone

can connect to connect to that and they want to throw your your wireless clients behind a behind a firewall to great example and that couldn't met with segregation gone wrong t.j.maxx reach way back from 2000 now so TAC has gone through a very poorly configured why is that Wireless and that network and then go on would access to other parts of the network to somewhere rather than able to get ahold of loader employee credentials to access databases and they started the harvest the credit card details of t.j.maxx his clients so conservative estimate was that forty five million credit card details were briefed possibly looking up to as much as 100 million now those attackers are in the network for

eighteen months before they were found and a total cost is estimated to be up to roughly two hundred fifty six mil million bucks so a not inconsequential thing so let's have another look at a bit of security what I want

Huy just going so it's not just the toilets a glass degree that'll kill you lesson from this anyone around Waverly stations sure yeah well a healthy sense of skepticism is a good thing to have in your security mindset you know going into the previous point about second some little items to come into your network you should really make sure the end users of their information systems are checking things that make it through our filters to to come the Platt fix for malware to hide inside seemingly useful pieces of software that they're made available website to download or senate invite by email for unsuspecting to click on and open up a month usually when they're sitting on your most

protected corporate networks many the phishing scams evolved over years change for the emails offering almost too good to be true deals there's lots of CEO whaling effects that we see seen a but attackers mimic a trusted or internal domain and we look at the highlighted in yellow up here as an RN masquerading at integrating S&M though people can be easily fooled by by these things and then trying to learn someone with enough rights to authorize a very high value payments the person can at the attack here and just in case you think this isn't really as much of a problem as it seems well the FBI's data the CEO wailings cost us businesses around 2.3

billion dollars over the last three years and fact last year the CEO of an aircraft parts firm got fired after falling to one of these scams cost the company just shy of 41 million million euros so that's a fair and dead okay one more of the basics before we go with the rest of these steps

[Music]

[Music]

all right so the first thing that does come to my mind is that looks a hell of a like trees and they on top of that truck but hey hey this one's actually a hotbed of advice all crammed into one delightful nugget of brain splattered loveliness so if you dig a little bit deeper into the blood and the goal well what can we learn well first before most learn to value importance of having a bucket of some kind when we talk about the pillars of security people tend to focus on confidentiality and integrity and they kind of leave availability to one side let's be totally honest about about things availability is effectively the services that you need to deliver

the business that you run you don't have those services in place at all you're not going to generate any any income or all those other nice things your company's supposed to be doing so when you think through the Horde of the undead intent on having having you for lunch having a spare gun going to get everybody tight hope if your organization systems that you're trying to protect and back in everything up before making that og change your public-facing web server is it good means rolling back should something go wrong you know there's a few things can will lose you job quicker than an embarrassing outage it could have been prevented by hit with big red backup

button of course the organization big issues most long as aces these days is ransom way all your important data get scrambled by the bad guys who then demand a stack of cash in return for decrypting your files instead make it in for worthless junk for all time well my backups you really going to have to pay so when us police force did you know very embarrassing for them we do not negotiate with terrorists online criminals find are we going to lose all of the data you have which again another you ethically sourced they're they're the last eight years worth of digital evidence in one go they claim to time not all of it was critical stuff but

there's a really great quote from one of the defense lawyers involved about whether it was critical data or not I said well depends what side the jail cell you see it really and again just in case is solely us police force issue 57% NHS trust in Scotland have been hit by ransomware attack and writing start of this year the logs NHS trust in England got called out to now an extension of this is to have a really solid rollback plan as well if you know you're going to be surrounded by halls with flesh eaters then keep one on your exit not despised it's probably going to save your lives too and you really should document your plan to

return to your original state with its Mason systems as well before you get your attitude I mean before someone notices I enacted some kind now an important point from that scene as well it's not to go solo on anything you need to plan your security work in the team spread the load out a bit but that's pulling in the multidisciplinary team from your course your organization's whole grants sourcing for experts to complete your 24/7 security monitoring on your behalf that you need to involve each other that's it anyone done started to first view zombie halls or plan a few dead ends and fought your way with nothing but dust bin Laden some sharp it's a drain drain pipe great so let's

start thinking about the long-term survival in a world where everyone's out to attack us the danger behind every door to lead and we'll mix an offensive and defensive skills in order to survive for the modern throat landscape you ready so limbered up tides of shoelaces cardio done let's crack on

and girl I'm a twisty little girl

[Music]

[Music] she's not going to ask the school club today Ishii but it's fine because her sacrifice it's for the benefit to the rest of us as a perfectly illustrate the point never underestimate your opponent now we've moved on considerably from the days when it's solely bedroom hackers and crackers think to a long line systems of fun we're into a world of highly organized well rehearse well-funded threat actors who have considerable experience in separating you feel data and your funds notes groups like the Russian business and network sound little bit Chamber of Commerce see that they've been around for years actually would expire botnets putting out spyware and running there and monetizing their activities so identity set stealing credit card card

details all that nasty stuff more recently of course the hot topic has been allegations of Russian involvement in the u.s. election with Cruz Mike Cenci Beth linked to attacks against the Democratic National Committee and apparent misinformation campaigns - and of course there's this unassuming building on the outskirts of Shanghai supposedly has units of the People's Liberation Army of China whose mission is to hack foreign organizations and private businesses monday-friday identified you know like a normal job there's a great interview with Obama from a few years back and he's recounting a a meeting with some Chinese officials who said look you know you guys - we've spotted we three spiney statesmanship as fairly fair but for you to be come to

me hacking the private companies people like Apple and so on in our country all the time for your economic gain that's not on and sponsors you caught us so to be as brazen as that just shows that people have concluded comfortable carrying activities such as this now a little bit closer to home everyone's favorite iced tea that they loves to hate talk or I'll pounce on them regard because they were awful lovely headlines in the Daily Mail they're I mean they really know how to whip up a friendly yeah I mean thoughts databases were breached by teenagers who may use a very easily exploited vulnerabilities and taught sort systems resulting tweets almost 160,000 customer records now it is the Information

Commissioner Elizabeth denim even went on record to Salix thoughts of failure to implement the most basic cybersecurity measures our hackers to penetrate TalkTalk system with Eve this resulted in 400 grand fine and a considerable den for confidence in the company so red faces all around in those moments when you're not sure the under are really dead dead talk about stingy with your boy I mean one work being shot to the head and this lady sort of avoided becoming a human happy meal with a good'n should very straightforward and lesson with that follow up on your actives or a Syrus for the thing Uncle Joe Starling you say trust but verify it's going to apply patch to a system or

making infrastructure change you should really verify afterwards anytime that you run can you know make sure the thing you fixed has introduced some other issues and the thing you're trying to fix did actually get fixed as well there's a reason why the PCI data security standards for protecting payment card details state carrot penetration testing after any major change just make sure ms stuff in anyway however that's not everything everything on the biggest problems I see in various owns I deal with a lot Commission penetration testing and invest a fair chunk of cash in a significant amount of time and then have this big list of items that they need six seems pretty good and I go back a year

after that most of former all the vol booties will be seen erratic still their numbers patched anything they've eventually wasted all that investment of time and money and having video work you know and because these are old vulnerabilities that are in place and they've been in the public domain for a long time it's much more likely at that point that someone with the skill level of a script kiddie could find an usually an exploit and own those systems there you know and that's quite a worrying graph from the Verizon data breaches report there shows that when they lasted survey in 2015 it was known vulnerabilities from years past but absolutely used to compromise it's no good having a patent program if

you don't actually do the tactile then there's some anecdotal tales about commercial banks that I won't name suffered and attack they had a whole heap of vulnerable systems they knew about for quite a long amount of time and simply didn't fix them it's all collective size let's look at something little bit more fattening

[Music]

olympic-level kill you know august doom-and-gloom highly rehearsed opponents putting in there are four technical security controls and lathe dependencies using nature average security persons shake a bit especially when it comes to asking for funds to be paid for things you know I always feel that security feels like it's a bit of an invisible thing really now how do you prove it is actually supporting the company to be secure and allows to carry on going forward that's a commercial edit surprise to be very difficult for us for investment in new tech and unless you have a view of your chief exec or you're one of those silver tons of security cells we will precise the end of the world one hand and then a

magic bullet - six all on the other and if you're in a smaller firm or even a nonprofit organization sometimes the funds probably aren't there anyway so get a happened knocking me up before the latest shiny all-singing all-dancing unified threat management blocks on those vendors and Garner's upper-right corner you know the sort they spend as much on the marketing as they do on their R&D and then des they've got to recoup that money somehow I might as well be out of your pot pocket this is where you got to learn from love open-source community supported often with years of strength development and implementation the organisation's walls of all sizes in put in place some incredibly effective tools

easy don't cost anything beyond the initial investment of your time to learn how they work and I think it's a bad Keynes and learning new stuff you want an IDs guess not you want to control devices connected to your network packet sense you know it's any commercial security tech at its free open-source counterpart a lot of even have commercial support packages go into an immense fraction of what the shiny box version costs so finally there's only one way to wrap this up with a reminder for all this [Music] [Music]

you [Music]

[Music] [Music]

not exactly stealthy you can't argue with the effectiveness of it though I'll open it up to the floor what can this delightful piece of glory offer to us

pretty in that you know sometimes you just have to admit defeat what's the whole thing invoke your nuclear options and start from scratch way back in 2011 Microsoft started recommend that recommending you reinstall the operating system if you got caught by a particular rootkit and this is software these days evolve deployment even non-targeted commercial malware has such advanced debate evasion capabilities built-in in into it it's probably going to persist the cleaning efforts try to you and run Sony's blender is a really good one here you know trying to put some anti-piracy measures in a really under underhanded way salting bit of your fury sure or you man it's a copy to protecting rootkit that I've had you know they provided a

fix to remove the software for that employer and opened up the endpoints to even more worse form from ability to this goes beyond malware incidents as well you know applies to the breaches of all kind so we live in a very litigious world world now and there's a lot more finger-pointing between businesses that comes to dodging the blame for security breaches taking place and the amount of assurance around good security throughout the supply chain just go up and up so it's going to just boot an attacker out of your system or do want to rebuild the whole thing so from a known good good backup you have or even start from that scratch it's going to

take a hell of a lot of it's a lot of X explaining the same system got compromised twice and that's not sort of explaining I enjoy doing so what have we learned well apart from the whole budget of use we'll start by closing security techniques we should remember one thing there's no cure for the zombie virus and there's no end state for security either moving target comes from vigilance learning and determination required to protect your important data and keep the fleshies as a bakery so keep a spare click close the hands make sure your security chains actually works and you never know what you might find in a sporting goods shop so thanks for your

time let's take a moment to reflect on one thing if the rabbit made it out alive