The Natural Laws and Consequences of Cyber Insecurity - Matt Smith

so this is kind of a just a basic presentation based on my experiences of contester and maybe there'll be some things in here where you you guys might have thought this some of these things at one point in time and so will you may be able to relate so so if this if this first slide is shocking to you you may have meant to go to the other the other presentation so hopefully in the right place but so we're going to talk a little bit about the laws and consequences of cyber insecurity and how ultimately the ultimate consequence could be the likely destruction of mankind but I'll get back to that later

h-town hello

okay okay cool all right so you're probably familiar with some some of these the hack of at least one of these companies in the past couple years and obviously these aren't the only companies that you might have heard of that it got hacked but these are some obviously well known pretty large companies government entities things of that nature so I'm just going to throw out a couple quotes that were made fairly recently one is the Chinese have penetrated every major corporation of any consequence in the United States and taken information that was a stated by Mike McConnell former director of the NSA and my other quote is there are two kinds of big companies in the United

States there are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese and that's why the current director of the FBI James Comey hello

double click to ya back hey wait when you want oh so the arrows are working great now great okay so so what about your company when you see you see hacks on the news about these these entities you know d do you just ignore them you not pay attention you know who well just consider those as a warning shots for you and that you should really be introspective start taking seriously what the security that your company is okay disclaimer all right

so I've been doing NVA pt's or network vulnerability assessment 10 tests for a number of years social engineering is part of that where you might make phone calls or send phishing emails and I also occasionally work on incidents now this is actually to who I think I am the reality hurts though this is actually a really in reality so I'm going to start with a basic role or for your scientists or mathematicians out there and axiom and that is your company will never be secure okay and there's a number of reasons for this and I've listed some there and we'll get into each of those areas so there's three ways you can address risk you could ignore it you

could address it or mitigate it try and mitigate it or you can transfer it with like a cyber insurance that's sort of a new thing still kind of being worked out so so you want to raise the cost of exploitation so that attackers will move on to easier targets so that that's kind of a goal

okay so so we tend not to want to try understand things but really like every one of us should try and understand technology a little bit at least a cursory understanding you know because it often seems like magic to us it's really not so media tends to fuel fuel the fears of things and misunderstandings and often times you see in the the news that you know attacks oh this was a sophisticated attack against us you see that all the time over and over again in reality at least the initial attack is not sophisticated in most cases you know you're talking about phishing email to you know an employee of a company I mean that's so so we'd like to implement

things without understanding the consequences of what we're doing you know devices that are placed on the internet you know get immediately attacked you know very just a few minutes I think I guess there you've seen things out there you know within the first seven minutes of putting a device on on the internet it gets it starts getting attacked most companies don't know that they're there they're being exploited or what we like to cut the term pwned and on average a company becomes aware of an exploitation of their network after two thirds of a year and oftentimes they're notified by a third party like the FBI or somebody who was being attacked because they went through your company to attack them so

you know one thing is you know what we don't understand you know there's this expectation that were you know we paint we can quickly fix this yeah week with you we expected but unfortunately reality ism isn't that way

so the world is when you connect to the internet the world's at your doorstep literally at your doorstep in the virtual world the entire internet so you know and and if you take care of the the you know if you have a cisco router around on the internet and you keep it patched and up-to-date you're you're you're doing good annual and you know Cisco does a great job of keeping keeping on top of those things what if one of the issues that we often see is when a company has custom applications so they develop their custom things so when we see that we love that and you better watch out because your cus nobody nobody else cares about your custom

applications they don't they don't care about you know your your particular web app that your in-house developers created that that's they could care less and unless you're being targeted and that's you know we often see these custom applications and because no one's really attacked them you know what specifically targeting them they're often vulnerable so just the reality is that in defense on the offensive side and I've been on that side I understand you've got to scare everything you're worried about everything where is on offense the attacker they only have to find one thing and they can gain a foothold so the proper implementation of the security technologies is a challenge and do it I think the industry you know

they put a lot of good security features into products oftentimes the problem is that they're turned on off by default and they expect you to understand and that they are supposed to be turned on but they you know oftentimes things don't get turned on you know so you know things turned on security things by default turn on is good that's what you know I think we should demand more than turn off by default and expected be turned on um so often here you know the inside of our network yeah we don't do as good a job as security but that's all right we're really hardened to the Internet facing to the external and that's good but you got to realize

you're really just one click away from the outside to the inside and once again fishing is a perfect example of that so so we do our assessments we don't we don't use zero day so we sometimes find 0 days oftentimes but just by accident our scanners might find it but we don't specifically attempt to create zero days and we don't need to um we still have a good success rate without you know having zero days or and if somebody doesn't know what a zero-day is it's just that it's an unpublished vulnerability in the product or application whatever so so one statistic ninety-nine percent of exploited vulnerabilities were compromised more than a year after they were published so

obviously patching hygiene isn't up up to speed and and we find yeah I mean we still find to this day Microsoft vulnerabilities we love to exploit you know Oh 80 67 is one of our favorites conficker came out because of that we love that vulnerability and we still see it even to this day and that's been hmm seven eight years now oftentimes their own systems that are just kind of maybe legacy systems they don't use them anymore whatever but for whatever reason they still have them turned on kind of shoved to the side not not thought about but still on the network still accessible so one thing forces securities at odds with profit so you

know we just got to get that product out you know down the torpedoes full speed ahead I mean it's you know one question you know how are these big companies being hurt by breaches yeah I think in some cases they are though I just saw TJ maxx I there they're about to open like a thousand new storage or something of course TJ maxx was that company that their parent got popped and yeah millions and beans or credit cards all that target I mean they're all you know those companies are still around there still now the smaller companies I mean some haven't gone out some have gone out of business as a result of of being

exploited so so things can be made secure um it's really the question is how workable is it once you've made things secure enough so there's this middle ground that you you you have to go with you still have to have usability you know along with security so and you may not realize it but you're part of an escalating war in the computer security world oh how many admins do we have out there security database network anyone i'm giving out goodies anyone admins willing to admit it all right well you can come up afterwards and get these security this was kind of a setup so you guys were right not to not to take those all

right so so IT people were unruly like I'm one of them so we're unruly people right so so we're lazy okay let's admit it to ourselves we are lazy okay we taught we say we're efficient right and then you know in the name of efficiency but really we're lazy so that's what we exploit we exploit your laziness so if you're working as an admin in a company we take advantage of that in our assessment work so you know it's not totally your fault you're overworked you tend to wear many hats you know you're oftentimes powerless in the decision-making so you know the right decisions to do but it just goes up the chain and doesn't go anywhere so now

oftentimes you don't understand security so in it a lot of ways that's not your fault you know IT schools don't teach it I mean they're getting better now the NSA is putting some money in some of these schools and awareness is going up but it's not taught so we often find when people get rellis ventev where we go to do work for them yeah there they may be trying to hide something whether it's the you know in competence or whatever but and you know the tourism plays a role in that I mean everyone takes ownership of things so it is you know it's their baby or whatever so somebody you know slapping their baby coming in doing that so it's

understandable yeah anytime we we see pride or arrogance from people yeah that typically it doesn't go well for them at the end all right unfortunately we have to deal with humans and so they tend to ignore your corporate policies and training right training training training all these policies wonderful policies we put out I mean you still need them you still have to have that but you know people will ignore them so they click on lengths and emails so stats out there show about a fourth of the recipients that oak to get phishing emails open them up that's what we tend to find in our assessments now I'm going to have a little little quiz here and

somebody wins a big prize for this so raise your hand don't blurt out the answer please some of you might be disqualified from answer yo okay this is a fishing question alright so there there are some terms that they use for fishing that are out there okay there's there's three let's say three big terms no yeah three or four alright you just have general spam so it spamming out there for whatever some product right you have fishing which is I guess trying to get you nefarious things might be behind that there's spear fishing which is kind of targeted specifically toward a company there's a third or a third or fourth term where um emails are

specifically targeted to your sea levels does anybody know what that might be let's see all right who want who likes candy

alright this man kept he likes candy and I think he knows the answer so wailing arrived yes congratulations you got a pot of gold yep alright so it's a term that's really not heard too much in the media but wailing so yeah and I think you see that more and more ransomware now you'll so these these emails are being sent you know that there's some you know background discovery done who's the sea levels at a company and just very few emails are sent to those sea levels very targeted saying you know whatever we need the w2s or whatever it is send you know and it looks like it's coming from somebody else in the company

so but wailing yep yep absolutely yeah yep that's very common that we've seen that yo okay so so the humans like to give out credentials over the phone yay ah good for us they choose bad passwords so when users are given a choice they tend to use bad passwords that we can crack fairly easily and they like to store unencrypted passwords on the network I'm sure none of your company's your people ever do that right but we find this all the time and please stop it because it's just too easy people know if you have like an internal file sharing system everybody has an account on inevitably we just do a quick search now if it's a Windows environment just

do a quick quick search on the sheer um you know just show me a file names with password in it yeah notably all right at least pop up oh and encrypted passwords not link to company resources but to personal resources so all unencrypted is like I don't know why you people are doing this but you do it so stop it okay so malware doesn't care right so it's cold heartless thing it it just doesn't care who you are doesn't care what kind of day you're having it doesn't matter it's just you know it's the Terminator right he just he's just after you right and he doesn't care so exploitation is opportunities opportunistic and basically I'll take whatever you give me

so the ona and often times especially on an internal network that's a lot a lot of stuff you give me the potentially exploitable so we often see that breaches turn into parties and we've seen this well I've seen it working incidents and I you can go out on the internet do a google search and see it out there as well there's um you know when one entity breaches a website then you see others like then they'll advertise that to their friends whatever and then others will join in and so you start saying so if you get on a compromised website you may see 11 program one web shell that gives us access but you'll also see like when you

see the file structure you see a whole bunch of other different kinds so it's like everybody brings their own to the party and and they have different reasons whatever those are your your systems

okay so I always like it when we assess larger targets just because they're more complex environments and in the morgue anytime you introduce more complexity to something it typically tends to be less secure there's more attack points or whatever you've got that larger attack service it would be nice as possible and of course that's difficult it's easier said than done the KISS principle keep it simple but so it's hard to keep track of all the assets you know you're hurting cats with you know proper network that data separation is rarely found you know you've got you've got a database and you're like oh yeah all are you know proprietary data all are the data we care about oh it's in the

database and we're watching that thing and we got it encrypted whatever well then you also have people actually have to use that data well guess what they pull the data out and then oh yeah they're going to like crunch on it on their own systems right they'll put it in the Excel spreadsheet or whatever they're going to do so now you've lost control of your data like so you know where is your data you know so we have email emails go out you know how many people in print emails right so especially you know sensitive data so take like a law firm or something you know how many law firms encrypt their email to their clients there's probably

some that do but there's probably some that don't what about your mobile phone your mobile stuff your phones you know how much sensitive data you keep on that and you know people obviously lose their phones do you print data phones so and they don't be pretty surprised about the amount of information that gets published on the Internet it's just hard to to keep keep the data under control now oftentimes I think in big organizations there's really this lack of accountability you know everyone thinks it's somebody else's job to do that whatever it is so so we pretty much always find though hanging fruit in these environments low hanging fruit is just easy ways to exploit things and

when you think of exploits you think of software vulnerabilities but you know exploits really that's just a part of computer security like I know that's the big sexy thing that you know people do when they're buffer overflows here there or whatever but there's a whole lot more to computer security and the gist out you know there were computer security books written before anybody really even realized you know buffer overflows existed you know the moors were my thing started that or whatever but you know there were computer security books before buffer overflows so that's just a part of it alright this is a huge thing exploiting trust so you know network environments have built in infrastructure just think of Windows

domain so there's this trust a lot of trust that goes on so and and we typically tend to exploit windows trust the most because that's the environments we run into the most though you know other environments also have trust relationships that up you know we think a knicks environment you know NFS you know all the holes I mean they still have that trust Architecture from you know 30 years ago or whatever that could be exploited now some of it's by design just the cost of doing business you know we have to be able to trust entities here there you know in the environment you know yeah even third parties so you look the supplier change right so i

think it was target that got busted no yeah Home Depot got buzzed it was an air conditioning company okay target okay one of those yeah and so their their air conditioner you know company had access into the system and they you know they hopped attackers hop from from a third party and into their system because they had this I guess 24-7 access in which i'm sure they didn't need but for the HVAC folks but and then then you got you know back to fishing again I'm harping on the fishing I know it but the trust so you just you know you click on a phishing email that's a trust you the trusted that right so mobile devices you know cloud

hey let's throw all our data on the cloud right so do we cuz you know we have to trust the cloud then right are all cloud cloud providers trustworthy not necessarily right no some of them do a great job others not so much so you really need to only give as much access as needed oh and the big takeaway with trust and we leverage that is once you leverage that trust you look like normal so your IDs IPS systems out there whatever you know was like you're now you're now normal part of the normal traffic you're you're the domain administrator that has to get access to the server box or whatever you know IDs isn't going to fire on that they're like

oh yeah that's yeah they need

one of our favorites compliance right so check boxes should enroll the day you probably know this so I think what it kind of leads to is you don't see the force through the trees so you know you're relying on these checks right and you're not really not really thinking about things you're not thinking about the potential attack vectors or yeah so it's kind of a knife a mind-numbing exercise you don't think you know holistically about everything and I think oftentimes the spirit of what was intended with you know like a PCI compliance or one of those is kind of violated your you know the the Assessor might say hey you've got an issue on this box with this password it sweet

then you don't extrapolate and say oh you know you take that finding you go oh maybe I better check my entire network for weak passwords and all kinds of things that's just too much work I guess but but that's what we would like to see you know looking into problem areas so if you see an area that you've got an issue with then addressing that across the whole environment compliance folks are often aren't technical and so they might not quite get the you know the make the right call or understand things quite right with with the environment but you're performing your due diligence right so it's all good so EMV for PCI has come along right that's the big

thing chips on pin you know chip and pin right so that's great I mean that's that's driving towards good things but it doesn't solve breaches so there's plenty of other information unrelated to you know a credit card number that that you don't want stolen you know you've got identity theft with pii the person they identified information you know your intellectual property so the Chinese are stealing like all your IP right so that doesn't have anything to do with credit cards are in that so so you know there should be compliance for other besides credit cards right so there should be no different compliance you know and the hippos and all that kind of get start

getting that you know they're getting closer but there there little generic you know all right so you need to reduce your attack surface as best you can get rid of the unneeded things so you know you maybe you may have a server that's running a service that isn't vulnerable today but it may be vulnerable to tomorrow or become aware that's vulnerable it's always been both but vulnerable tomorrow so you don't if you don't need that get rid of it right so reduce the things you don't need out of your environments you know pretty much figure that it's going to take multiple rounds to fix everything so we'll go in and do have repeat customers and you

know they won't have everything fixed the next time we show up on the doorstep but that's okay I mean as long as they're working towards that that's that's that's important but it's difficult I mean so your environments need to be constantly tested things are you know things change dynamic so you know putting in a firewall or an ideas or whatever that's great but that's not like the the complete solution it's not you put these things into your environment these products and you're done you know you know they they need to be monitored you know actually take an advantage of oftentimes that's not done but and they can be submerged but you still need them you still need a

baseline so AVS the anti viruses I don't sweat it's over any viruses pretty much can get around them but you still want them because you still have these you still want that baseline so just the you know if somebody fit got phished or whatever and some stupid virus and it you still want that hopefully the AV to get catch it or whatever so you still need these things so the cost of things would be way cheaper as far as security goes if they were just integrated into the at the beginning into the into the development lifecycle of things whatever those things are you know but we you'll see out there and it will continue you'll see this this this vicious cycle

so they they put a new product on the market and inevitably somebody finds vulnerabilities in it right so because we've just had to get it to market right as quick as we can we don't care about security so much but yeah and some of those presentations for you know like the automobile stuff today is sort of one of those I guess yeah it's like up get that automobiles stuff out there or whatever and yeah we just got to get it to market and you know security yeah so but you'll see it out you'll see that with new new stuff coming out so learn from your mistakes takes time and effort do defense in depth so just kind of

assume if you're running a network environment assume that's going to get compromised the person is going to click on the email in the fishing then what what kind of countermeasures what you have in place if a you if a user's inbox gets compromised are they running at least privilege you know even if there are there's ways to escalate privilege so so but you know just keep that mind you'll have that mindset of a defense and depth where you know what if then what do we do type thing so your goal is to minimize risk not eliminated you'll never be able to completely eliminate the risk but the goal is to minimize it

okay before actually before questions let's see all right let's let's get back to my first thing I said about the destruction of mankind so so this guy right here he could be the answer to our computer security problems he could be the ultimate solution right and so how many of you heard about they put IBM Watson on the computer security whatever I don't know what he's trying to solve but yeah yeah so if you so yeah so let's put our eye on and I think that is the solution ultimately is to have AI some of these products are rolling out with it too but let's think about this for a minute before we actually do this right

so a couple of people like Elon Musk and it was at Stephen Hawking kind of came out and warned about a i right so thinking about it for just a minute the right like so you're the dominant species on a planet right and why because you use your noggin right so let's create like competitor to that right and like and ones that I don't really uh you know probably would think yeah these humans you know there a problem they are going to become a problem or they are a problem right so I don't know why we would develop that but yeah but I guess we're going to do it but yeah I don't know how much since

that makes but but that's where we're going does anybody have any questions yes wait so yeah okay I don't have any questions by will interject about the AI thing yeah they currently we there dis coded instructions they are software that progress in a way that we allow them to progress so they're only going to become like a sis artificial super intelligence if we just let them hear I'm glad you made cause it actually this is the important point I wanted to make about that so is it everybody familiar with like The Three Laws of Robotics and things like that like all right don't harm humans and all that that's great like and we'll probably set all that up

and it'll be like yes we the humans will not be harmed right except ooh unless there's a vulnerability right the computer security so it comes back to computer security there's a hole in the system or whatever and it gets exploited right by the AI yeah i mean that's we're screwed so like unless we get a solution to computer security right we're going to be destroyed by the AI the whole thing about the keynote to is is emergent you know i'm predicting so you could set up three very clear all the film complexity around them and they starve a runways on in 10 right yep and that's what we you know that's what you know my team does we we do the

unintended or the yeah but you know though they don't realize you owe you could do that or oh you know yeah i mean that's what we're doing you know as humans you don't imagine the AI is doing it have a question i don't know if this works or not uh do you do more are you doing more testing with Internet of Things related devices because you know we talked a lot about servers and everybody likes to talk about autonomous cars but in reality like light bulbs are starting to be happy run search right right and those are going to be prevalent everywhere all these little bitty internet of things are you are you running more tests again so we don't do

so much product it like black box testing per se we're more of the just the traditional like what you'd say yeah the net breaking into the network thinger we've done some more specific type of testing like that but yeah we in general now we we don't do you think that will be a bigger a bigger area in the future yeah obviously it will be you know you got the smart meters that they're already hacking away on in the yeah you know your refrigerator you know you don't want your refrigerator attacking you or whatever yeah you know or whatever you know or spoiling your meat I mean that's you or whatever you know your sky now right that's right try

the first indications of Skynet right so yeah no I mean it you know depending on what you can do you know and they'll say well those there's these failsafe mechanisms even if something got hacked yeah I won't be the you know you know whatever the default is it's benign or whatever but so let's take a like traffic signalling systems right so they were a guy told me well you know if someone were to get in there and hack it pack a traffic signal light um it'll all be red like you could never turn them all green so everybody smashes into each other but if they all turned red you're still going to have chaos it's might be

delayed a little bit but everyone stopped right so like it becomes this craziness right still so you know yeah yeah I think implementing things without realizing the consequent you know smart homes those site you know it's like do we really think of what we're doing here we on what are what the capabilities are any of that so yeah anything else nope all right yeah thank you of the other low-hanging of the low-hanging fruit options that you find how many of those are also like just a rough guess how many of those are also low-hanging fixes versus major riorca textures or yeah mediation projects it just depends on what it is you know past what passwords or well we would like to see

non-reusable passwords obviously so yeah that would be a major fit but we know that's not going to happen so changing a password sure I mean now changing a password for everyone on the domain when the domain gets compromised you know that might be a little bit more difficult undertaking you know the architecture the underlying architecture the trust and whatnot you know Microsoft we've been dealing with yeah Microsoft's been dealing with out for you know whatever decades or whatever so yeah some things aren't so easy to fix and of course my job's fun because I can just say hey fix this and I don't actually have to fix it so I'm like it's like but yep hope you've got it fixed by the next

time I come around but yeah yeah some are some more yep anybody else alright thanks