Perspective and Opportunity Costs of Cyber Attacks

all right welcome back everyone we are at our three o'clock session um just to let you know that for our three o'clock session we've got kyle bess his uh presentations on perspective and opportunity cost for cyber attack how major turns cyber security analyst turned software engineer uh sounds like uh the story of a lot of us uh just turned a lot of things his perspective from a non-traditional background aids in his ability to expand his frame of reference he's self-taught with code uh raise your hand if that's you i think that's all of us while studying the analytics finance and accounting to equip himself with the tools to draw better insights for a data rich

industry so what exactly are opportunity costs this is what kyler is going to be kyle's going to be telling you about it's a concept that most have a tangible understanding of the opportunity cost of a cyber attack could be an astronomical amount as you start to hemorrhage resources to triage where you could have been conducting business as usual so with no further ado uh kyle the floor is yours my friend hello hello and thank you so much for that warm and welcome introduction that is my desktop there we are um so yeah as i was just introduced uh i do come from a traditionally business background and then i started to teach myself a lot of the technicalities behind our

industry because i found it so fascinating i think the most valid thing that i'm sure everyone around me has heard at some point in time or another was the moment that i realized i wanted to get into tech was when i heard coming from a finance background that there was a quantitative hedge fund that was using satellite data on weather predictions to measure the price of measure the amount of water and wells to predict the pricing on oil commodities which just so over my pay grade and so over engineered that i don't even want to unders attempt to understand what it is but beginning my speak my uh my talk this is about the opportunity cost of cyber

attacks on developing nations it is going to get into economics at the very very most high level you can it's going to be about as in-depth as an intro economics course would ever get in an underground situation but here we are so what qualifies me not a whole lot um as i said i have a a jack of very few trades and a certainly a master of none uh these are my hobbies guitar reading mechanical keyboards uh cycling and cooking so we're gonna go ahead and get into it so the narrow concentration of attacks so my first point with this is mainly centered around whenever a zero day goes out or some form of exploit comes up

the first reaction that nearly everyone has including media and curing security anal analytics experts including everyone in our industry is how is this going to affect business which is a very valid concern don't get me wrong even the four companies on the left have had an astronomical impact on society and business in the 21st century and 20th century alone and that's a valid concern from any perspective however my talk could be going up about something different basically what i mean by it's a valid perspective is i as you know facebook owns instagram and facebook themselves and these are the platforms nowadays that culture is even expressed through so if a pro if a platform like that was to go down

then we lose a lot of the ways that we actually communicate and a lot of the ways that have kept us sane alone in the last year uh so like i'm saying it's not typically the smaller players in the picture but those of whom lead industries and or many of us rely upon so you have a crazy crazy big companies like goldman but no one's focusing on the hospitals that have windows xp and everything like that that can't necessarily be as agile to move around and instantly update all of their systems so we're gonna do the next slide a local cons old smartphone a lot of people are going to remember this because it really was not even that long ago um i

believe there was the rdp on the network managed to get in and they attempted thankfully not successfully to increase the amount of lie in the water supply um so those bullet points are basically the effects that i would potentially have i went through a couple medical websites but unfortunately that is not one of my areas of expertise from uh from a hundred parts per million to over 11 000. that was the attempt so my main rationale for including the slide was if it were to happen in what would be considered one of the most if not the most developed nations in the 21st century what about others what about other companies that don't have as great of

infrastructure as some of our biggest proponents of the economy have so it's always something to think about where i feel like a lot of the focus goes towards all right what would happen to microsoft for google or facebook if this were to get out and not what would happen to the smaller players one of the smaller players in this example being a water treatment facility that a lot of people wouldn't think oh this is how i affect a nation the cost of an outage this is tying back to a little bit of what i said so the cost of an average of a singular company i'm sure a lot of us remember a couple months ago

uh google went down for just over an hour uh youtube is down gmail is down now google search was not down which is their major proponent of driving revenue so that wasn't their their most ambitious business model did not go down but 2.3 million dollars alone for one of the examples of one of the larger players actually going down in the 21st century um this is again what i'm talking about how culture is expressed and you have let alone how you how productive you are in a system so gmail is absolutely gigantic i'm sure all of us receive multiple things with spam every day youtube entertainment that's the lack thereof of productivity google drive having an integrated place for

storage google meet google docs tools that have become even more essential during the pandemic and over this last year where a lot of our work has to be collaborative i mean you have google docs and dropbox and things of that nature but this is again one of my focuses on how impactful like a zero day can be but again this is a focus on one of the larger companies whereas this is going to be turned more into a talk of what could happen potentially for a smaller player opportunity cost this is this is starting to get into the economics of why i'm saying that a lot of this is pretty commonplace so opportunity cost in short

is the loss of potential gain from alternatives when another alternative is chosen um before i get into the context of cyber we're first going to just look at you you can see the napkin finance example of it but especially like in high school you're like oh well i worked all week i can go to a concert the cost of that concert is 70 in addition to the amount of revenue that you would gain from working that night so applying this to cut cyber cyber tax the investment into development of infrastructure or other areas so you choose to forgo the amount that you would put into higher security so and even training so that old smart

incident would never happen and you would never have a port like that that was exposed to the internet that someone could exploit so easily but you would have something that wouldn't even sum up the cost that you were investing in another area but it would be the sum of the cost that you invested into another area in addition to the potential breach so the the amount of costs associated with the hospital bills that could have potentially happened if the old smart incident went through and our water source was contaminated with a hundred eleven thousand or whatever the the figure was amounts of live parts per million that is also tying into the cost that they

forego to invest in things like infrastructure and other places um that's kind of what that second point is tying to how the nations compete this is going more into the economic theory again uh again this all looks back to cyber security i promise um so comparative advantage the ability of an individual or group particular economic activity more effectively than any other activity in the context of security who has comparative advantage and why is it nations with top universities so this is kind of tongue-in-cheek um i think the answer is relatively clear these top universities have been everyone's go-to for producing skilled labor all throughout the 20th century and even they're a landmark of our industry in the 21st century whereas a

lot of people think that the only path to a career regardless of wherever it may be is a four-year degree or even associates with with certifications so comparative advantage has been focused

university they also get the human capital america gets a human capital of the people that are filtering in to go to these universities in order to run all of their integrated systems

we are actively working with kyle trying to get him on folks so uh please bear with us um i turned my mic on and uh let the group know that we're working with you bud all right you may see me again

hello again sorry sorry for whatever that did but may have been um here we go i hope you guys can actually hear me now all right again we can hear you and we see the presentation go ahead kyle right that's like uh do you know where about where it was before it kicked me out why don't you go ahead and start going through your slides dude okay um so i don't really know what point we were at uh yeah keep on keep on going here nope keep on going i think that's a weird like what else says i think it was this one no oh it is a chris says back industrial uh chris we'll just continue from other

side right there right there dude okay awesome uh so again sorry for whatever happened again i blame uh i blame spectrum internet um but i guess we'll go over all my points again but how do nations compete in the 21st century it's all against imports exports and trade so comparative advantage again touching upon a pretty basic principle in all of economics so one person i'll be back here you're facing very cool um so especially a nation that specializes in one particular thing is going to be stronger and typically play to those strengths rather than trying to uh kind of fortify their weaknesses so in the context of security who has comparative advantage and why is it

nations with top universities this is kind of tongue-in-cheek because it's obviously the answer of the people who have top universities so you have things that are even as is highly regarded as the ivy league in terms of the united states um you have oxford you have cambridge you have all of these ridiculously massive research universities who fund these programs with cutting-edge technology but a lot of the times that's difficult for those with not much funding to get a hold of i mean you have harvard with an over 30 billion dollar endowment that can cash flow the implementation of machine learning to security all day long um but those industry those organizations and countries that don't necessarily have

access to talent from these top universities often suffer because of that you don't have the same amount of talent pool that you can draw from you have people who have never even used the technology versus some of the people who have built it on your team uh so again we're gonna go into the next point but one of the greatest things about this pandemic unfortunately has been how it has absolutely revolutionized the learning framework and it it's been happening for years now but the first industrial revolution um and opportunities that present itself so some economists theorize that we are currently in a period deemed to be the fourth industrial revolution rather than the output of being tangible

goods the service economy presents an incredible opportunity for countries looking to increase gdp so a lot of people don't really realize the sheer amount of impact that the other revolutions have had on us in general so the summers that we were so fond of as kids going from like k-12 were only because those people who were able-bodied the fields and and re-produce and and work amongst people that needed the extra productivity rather than being in school there was even research done to being shown as to why that was the house classrooms were organized it's absolutely immense but the fourth industrial revolution in this theoretical period that we're in currently is all because it's not so much a focus

on tangible goods as i stated beforehand and we're not we're not forming assembly lines to make cars that's not no longer cutting edge technology we're now focusing on the development of stem and software as a service products and trying to build ourselves from the ground up to be an economy and to be a nation and a world entirely that can teach these at a lower level so that whenever kids get to a higher level like college and high school they're already able to apply themselves in pragmatic like software development that will absolutely revolutionize how we do things he thinks offers a service products are now are great and numbered now you're only going to see them increase

so a lot of this can be shown in like after-school programs now focusing more on stem universities even pushing it i t is going to be one of the most expanding fields in the 21st century as you can see by like the us labor and job markets reports um so how can other countries do this that don't have access to it so this is going into overcoming barriers to entry so unfortunately in the past the rest entry has been absolutely immense like i was saying earlier uh instead of in lieu of like a four-year degree nowadays you have some people who don't even have a bachelor's but are still finding their way into top companies

and organizations because they have the skills and it doesn't necessarily mean that you don't have a piece of paper associated with your name but you have alternative means of education now which is significantly reduce the barrier to entry you have security plus and even google analytics and stuff like that which can show you that you have industry specific skills that aren't necessarily uh built on a foundation of of public speaking and professional writing and other preliminary courses that you're going to have to take for your major at a four-year university you're getting straight into the beaten potatoes so companies like coursera especially have been known to be pretty prevalent in this matter i mean you can see even in the

background they're offering you pen yale duke pwc top accounting firm princeton google university illinois northwestern all of these top top colleges are now dispersing all of their learning material for those at a more affordable price like i can take a upend course i can take a upend course for fifty dollars rather than paying sixty five thousand dollars in tuition so with such easy access to learning materials now you're gonna have some of the people that are easily looking into these things from high school and they come into an industry at 18 or 20 before they would have even graduated undergrad with more practical skills for the technologies that it could be in demand for the 21st century

and that alone and all you really need is an internet connection a laptop and some grit and you're more than fine but various entry in the software space are a little bit more difficult because you have such large players like no one's going to come and be the next google no one's going to index the entire internet and then be the greatest search engine because once you get to certain scales google draws off of the data in the searches that they get that's how they tune their algorithms until they do their models you're never going to get to that level of production but there are alternative industries that can be started for for that don't have even many players in

them uh so open source software is cool even amazon uses elasticsearch to their chagrin um amazon used elasticsearch a crazy crazy amount to the point where elasticsearch revised their entire business model just to try to remove some of the profitability that aws is having um but open source software is absolutely incredible i know i don't really have to praise it that much especially in the audience that i currently have um open source software can be accredited for industry-leading company for keeping in any industry-leading company ticking not only do they rely but they often open source a lot of their software so google they've even open source golang which is an incredible incredible language couldn't recommend it enough

uh you have facebook to with react and graphql which power a lot of our internet today um graphql a lot of people don't know that was the entire kind of bread and butter between behind how they got their mobile app to work because it was just a complicated mess with integrating their web frameworks and web technologies into some of their mobile tech it thanks to a couple engineers graphql they eventually open sources project and even the company i work at relyquest right now uses a bunch of open source technology including graphql uh goldman sachs data modeling software one of the biggest biggest biggest players in finance today uh nowadays you have them going through not only

the investment banking channels that they were so prevalent in but now they're kind of starting to hit into like the credit card industry with apple cards so what does any of this have to do with the development of security for smaller nations what you see on the right there looks like a sim it is that's an open source sim that's one of my suggestions for companies that are for the countries that don't have these one to two million dollar budget even annually to get something even as simple as like a logarithm or a splunk or a q radar or an arc site they can't afford that um and as long as they have a to a degree a couple log sources

actually putting into the sim you have at least one platform to start measuring by um so solutions are affecting uh smaller nations again i'm going to touch more on the open source side but international organizations like the united nations have some things the office of counterterrorism where larger countries actively donate to support strengthening against cyber attacks and other forms of terrorism so you have countries within the united nations donating like immense amounts and when i was doing research leading up to this you have even saudi arabia donating like 110 million dollars annually um to help support against these types of things so the first step in the right direction in my opinion is getting people to getting developing

countries to an extent where they know that their infrastructure is not going to be completely taken down by whatever the newest form of exploit is um unfortunately that's not as easy as it sounds and that's why i was talking about her alliance on international organizations where they would have immense amounts of funding where some would not it's hard to completely be as agile as even 21st century companies nowadays because you don't necessarily have in the budget to migrate all of your servers from x version to y version and hardware issues related um so this is where the development of alternative courses like coursera become immensely beneficial for education no longer do you necessarily have to rely

on the the insular iv towers as they as they always say um you now have human capital it at any place in any country again with internet uh a computer and some grit you're you can teach yourself practically anything um there are stories with people even learning how to code on pen and paper then going and just absolutely massacring people in the encoding competition which is absolutely incredible um and top right i have an example of some of the controls that the international organizations recommend um so this is kind of where you would start with getting people to assimilate a similar margin uh in order to be kind of sort of secure and then it's up

to them at that point but that is about my presentation i do apologize immensely for the all the technical aspects uh the outages and we're gonna just go ahead and pin that on spectrum hey no worry about those outages man now we're all here uh you know been through it all especially this last period but no worries you did a great job kyle so uh let's go through some of the q a we've got two questions uh so uh first up to bat is here uh what is the data on people without degrees but skilled getting into this lar getting into the large companies or organizations um i don't necessarily have data but what i do have is first-hand experience

i know a couple people that especially at relyquest have associate degrees and certifications so they're not necessarily overly reliant on a university like usf or uf or utampa especially around the tampa area um but they did an associates while in high school and they pursued certifications in order to again develop like pragmatic experience in lieu of developing like soft skills which are always important but i know one of the people that was in uh volunteering even at a table killian i can tell you guys more about that one well i can kind of sort of speak specifically to that i've got a pretty large team here we've got folks that you know they you know they didn't get a degree they do

have uh maybe a couple certifications not many most uh started as high school very skilled and um you know they're they're not having any luck uh applying for positions out there so that's why that question was asked um but it's also getting immensely competitive nowadays and that's why a lot of the companies are looking for certifications and you even even if you don't necessarily have the funding in the budget to go for some of the certifications like i know security plus network plus can be kind of costly especially a lot of the sanserts you have companies like attack iq doing like the free certifications now which show nothing but drive that you actually want to grow and learn

in your industry which i'm sure will speak volumes on a resume awesome all right next question here in your opinion do you think that it would be it would benefit the developed nations to help developing nations to better secure their infrastructure systems yes yeah so that was more along the point i'm sorry if that was rather uh obscure if that's what i was trying to get to um but on this last slide yeah on this last side where i was talking about the international organizations like the un um their office of counterterrorism is where some of the more developed countries like saudi arabia and europe and i know uh united states even donated like a couple million

dollars towards this um this is a fund alone for helping some of those other nations kind of get up to par of course it's not incredibly easy for them to develop technologies in like a year or so um but that being said whenever they get up to speed you now have a shot at your at your gdp um because like you have software as a service products they don't necessarily require tons of amounts of natural rich resources like you don't necessarily have to be a country that's rich in diamonds or gold to make an impact in the world now that can be your route to success in the 21st century as an organization all right here's the curveball kyle you

ready for this where do you get your ice cream and what's your favorite flavor when i get my ice cream um we have a place in tampa it is absolutely phenomenal it's the best ice cream i've ever had it's off of florida it's called revolution ice cream company um they have a cinnamon swirl flavor that has like hardened icing on top of it absolutely phenomenal all right and here's for the last question of the day unless anyone else anyone else throws up any other questions but what certification degrees would you suggest for those that are not certified what type of a progression path would you suggest okay um i am not as active in security as i used

to be since i'm more of in the software engineering side but even i am pursuing as we speak um security plus and the the junior pen test cert and especially if penetration testing is is something you're immensely passionate about i have tons and tons and tons of co-workers who rave about how much experience and knowledge that they've gained alone from the offensive security the oscp cert whatever the acronym actually stands for i have a friend that sat for it who is a software engineer and he said it's all about perspective and it helped him think critically in ctf just by going through all the training in the labs that that's it requires so i'd recommend all

of the security plus network plus oscp and then the ej pt well kyle those are all the questions uh thank you so much for your time uh did an amazing job even though we've had some issues with the spectrum you did an amazing job thank you so much and uh hey for those of you that are still out there if you still have some specific questions for kyle please ask him he'll be out there on the platform he'll be more than thrilled to answer those questions for you um so we're actually leaving this session uh 20 minutes early so get out to those tables uh mix and mingle and uh enjoy the remainder of the conference

and feel free to reach out on linkedin and feel free even if it's not on this platform you had a question a couple days ago so all right have a great one everyone