Keynote - Mark Fidel

um but we'd like to call up our next speaker that is Mark theel Mark is a seasoned cyber security expert with a career spending over two decades and the co-founder of brisk sense Inc welcome [Applause] Mark good morning everybody any friends from securin in the audience there you go hi I'll explain why I said that here in a minute my name is Mark Fidel I am not the smartest person in the room by by a lot especially with this crowd right um my background is in finance in law in risk management and in cyber risk management I was a co-founder of a company called risk sense cyber security firm we did a lot of penetration testing

a lot of vulnerability management and we were acquired by advante in 2021 and I stayed with bont until uh 2023 when I left to form my own Consulting Group um and I guess can you can one person be in a group is that okay cuz I'm it's still just one person but it's the Fidel Consulting Group anyway that's what I'm doing so my clients are technology firms uh technology clients quick shout out to S and to Kristen for uh making sure this works well today appreciate the work you guys are doing put this together um the person who was to be in this role had an unavoidable conflict and so I got a text message Chris I didn't even to get a

call I got a text message said last Friday saying hey can you help us out and I said if you want quantity or do you want quality right because I don't know reason I mentioned securin is is that when ion acquired us they acquires for the software that we had built the platform we had built the vulnerability PL management platform we built but we were doing a lot of pen testing too and those folks got hired on by secur to augment the considerable talent that securin already have in uh penetration testing and vulnerability management and number of other areas would I'll say as proactive and I note that curan is one of the sponsors here

today so welcome and and thank you for being being one of the sponsors so like any so why is somebody without a technology a formal technology background being a keynote speaker here well because I'm much more like your average customer than your average customer is like you pure and simple right and I was often the bridge between our Technical Resources our very very smart folks on the technical side and our very smart non-technical clients right and I I don't know if it was derisively but I broke things down into check writers and influencers okay who's going to write me the check it's often not the influencer in the customer area right and when we were having pitch meetings for clients

with potential clients prospects um and we knew we needed to make sure that the deal was there I needed to make sure that both the influence ERS which are often the technology Partners in the in in the client's environment whether they're uh third party vendors or whether they're employees and the check writers were in the room and I would watch to see what is the reaction that check writer is having to what the influencer is experiencing how how is what is that interaction like okay reason I bring that up is because it's important for us to remember as technology professionals I know I'm using the Royal V it's important for you to remember as technology

professionals that a lot of what you do is not noticed until it's needed which is actually good if you're doing your jobs right then what you're doing likely isn't going to be noticed unless you're on the incident response side of the thing the disaster recovery excited thing then you're very much under the spotlight keep that in mind when you're working if your client facing your customer facing and even if you're in an organization where your clients are all internal to The Entity right you're going to have non-technical check writers if you will who you're supporting one way or the other I think that's critical so I love the chat GPT 40 bill I I think it's

pretty cool I think it's fun and just for fun because Kristen I had a whole week notice I said you have to give the keynote address to this event gave it the URL for this event provide a 30 minute speech that is humorous yet involved cyber security topics kind of a weak prompt if anybody of you if any of you dabble in cyber security in the various chat bots so the first effort is not good but I'm going to Shar with you why it's not good in Brackets opening joke and I don't think I'm supposed to say that but opening joke good morning everyone it's great to be here at bsides Albuquerque where the air is thin but our security

posture is Rock Solid yeah yeah anybody feel kind of cringey with that one yeah it's not it's not great they say what happens in Vegas stays in Vegas but what happens in cyber security well that ends up on the front page of every new yeah not great at the joke tell let's start with the basics who am I just another digital janitor trying to keep the internet clean I'm here to share some laughs and maybe just maybe imp part a bit of wisdom about our crazy world of cyber security again I didn't The Prompt was the feedback is relevant to the prompt because I gave it nothing about me right didn't give give anything about me I

gave it just the URL for bze it's Albuquerque and you know and then give me some humor give me some cyber security toic so it's trying I get right and then it goes on so I said I said make this speech mildly less humorous under the assumption that was humorous at all right and slightly more technical also this speech needs to be for 30 minutes and I got told today actually speak as long as you like so for the next 6 hours settle in just K it's not sucess so here's the other here's the revision and I'm not going to read from it but it did provide some great topics that I'm going to feed off of right so

good morning everyone it's an honor to speak at bides albuquer which it is so that's good it ties where the Cyber minds of today come together are we all here or all the Cyber Minds here okay good checking let's talk about cyber security the field that is as dynamic as it is critical what I didn't tell Chad gbt is who the audience was and that was my fault right so Chad GPT is speaking if you will from the perspective that you all are check writers not check writers influences right you're not that you're not on the technical side of the world but it gave some interesting perspectives because of the topics it's pulling up the first was

cyber hygiene right very the biggest problem in cyber security is US humans you're in right anybody having a Microsoft Crow strike kind of morning okay I have a niece flying in from Tulsa today she's on Southwest Airlines so far unaffected except their flight is affected because other flights are affected in Dallas right so there's an impact there to you know a one degree of separation impact there to what's going on right Time Square showing blue screen of death right the sphere in Vegas v v bod as well right and that looks really good because it's a big curve in blue okay but it talks about regular updates strong passwords multiactor authentication the stuff that we know is

basic still comes as novel to some of our clients right why do what if I walk away from my laptop and it stays off on the street right versus if I close it can you get into my laptop right big difference who here has left a phone or a laptop in a an Uber or a taxi or some other public conveyance I'll raise my hand right yeah and really I care little about the hardware but I care a lot about either what's on the hardware or what that Hardware can access okay any state government employees here by chance okay all right so I don't know if you've been how long you've been in state government but if you were in

state government in 2012 you should have received a letter from the per Public Employee Retirement Association right the reason you you receive a letter from par is because a contractor who is doing an accounting firm who is doing an audit for perah got data from Pera to do the audit the data they got was on 36,000 subscribers to perah so people who were both retired and people who were at the time currently contributing to perah and per is the retirement essentially your your pension if you will if you're a state employee if you're in education then it's the educational retirement Association right but perah is the Public Employee parent Association they handed him the data on

his thumb drive at the perah headquarters he downloaded the data onto a laptop gave the thumb drive back left to another project in Clovis New Mexico so this was Santa Fe to Clovis and he was uh in Clovis for a job for two days on the morning of the second day he realized his vehicle had been broken into and two laptops and two laptop bags were stolen out of the the vehicle at a pawn shop one laptop bag one laptop and two laptop bags were recovered the laptop that had the paradata was not recovered what's worse the laptop wasn't password protected what's worse is that the sorry on that what's worse was it wasn't encrypted the hard drive wasn't

encrypted so you know Andrew you come up you take the laptop you're right no issues right at that point in time so when would you consider the data breached would you consider the data breached a when he left it locked in the vehicle or B when the vehicle was broken into and the vehicle and the contents was sto A or B neither a I'm going with a right cuz it was out of his care custody and control when he left the the laptop and laptop bags in his vehicle cuz somebody else got it right at at the point of a now it was never determined that any of the data on that laptop ever surfaced in the wild but you

have to consider it a breach right for that at the time the state of New Mexico did not have a data breach notification law and if they did and it was the same law that now is in effect today it wouldn't have mattered because All State agencies are exempt from the data breach notification law in New Mexico just letting you know that right not a secret but but Pera had retirees in 50 states and multiple countries right people move when they stop working right so we had to come up with a way to communicate this information about the breach to 36,000 people my dad who's now passed on but at the time was was also a

member of perah so I'm proud to say he received a letter that I helped draft because perah engaged us not for incident response necessarily but how to craft the language for the breach notification so we modeled the breach notification on the most strict at the time breach notification law in the country and that happened in Massachusetts right by the way per didn't have an obligation to do so because what was it a reputational risk probably right but are they afraid people are going to go to their competitor there is no competitor to so that wasn't a risk right but they thought it was the right thing to do was obviously notify and to put into place

credit monitoring Services uh identity theft Services those types of things right so they did that per is not a big organization peoplewise this took a lot of effort so they hired third party was actually an entity uh that experience started specifically for reach notification issues so Experian set up a toll-free number for them they distributed the letter to the database uh of of uh retirees and members and they managed this process so this whole thing including our $112,000 it's all public record cost about $860,000 all right so now Choice a taxpayers paid for this Choice B uh per up paid for it but didn't directly charge taxpayers try to collect that money some other way Choice C the

vendor paid for c c close I didn't give you all the information it was the vendor Arizon omissions insurance coverage that paid for every everything they were excellent to work with CU I interfaced with them on behalf of Pera and they kicked in from day one to be able to to manage this effort so no taxpayer dollars were affected unless you're thinking so the the vendors premiums went up the next year if they could get Cyber insurance and if that happened then maybe the vendor rates increased and then that was passed on to its public entity clients don't know but that's an example of a breach that wasn't a breach but we can't right the data is lost from that

perspective who here deals with advanced persistent threats in their daily work right what are some of if I may what are some of the most tenacious threads you've come across in recent time well I've seen actors computer in Oran for okay nobody knows and you were able to determine the time frame based on the uh file tra on the traffic of the Network full pack capture okay so advanced persistent threats are they're a problem only when you notice them right and you notice them when triggers are pulled right and so sometimes you don't know and I'm bringing this up because it's very scary for your clients for your non-technical clients they've been doing what for a

year in our Network that type of response and then how did this happen right we used to do a lot of forensic work and and part of it was in incident response and boy the non-technical clients were hellbent on who did this so what is that called that's called attribution analysis who do we attribute this to and I'm not so sure that that's worth the money that is spent on attribution analysis because let's say sake of argument you're the client spends that money or their insurance policy spends that money right to figure out ultimately gosh it was somebody out of North Korea right and I've had clients say well can we get them back not not get the data back can we get

them can we can there be retribution can we serve Revenge upon them seriously clients want their pound of Flesh there and the answer was always technically yes from a technological perspective probably from a legal perspective absolutely not right and that's frustrating that's frustrating for clients so when you're delivering what may be bad news to your clients understand try to be in their space for a minute and understand if you're receiving this bad news about your network how would you want it to be received you want it to be honest you don't want history onx right you don't want me in history right but you want to be honest and you want to be forthright with them about what's going on we had a

client and I won't disclose who it was because of what happened these are the good stories right we did a penetration test for the client we had a kickoff meeting in the client's office the client's office was on the seventh floor of a 10-story building when we went to the building for the kickoff meeting there was no guard activity right check-in desk on the in the lck we went to the seventh floor there's nobody at the reception desk instead there are signs at the reception desk saying it conferen with an eror and it was a nice trail of crumbs for us to follow to get to the it conference room because that's where we were meeting now I don't know if the

signs were specifically for us or they looked like they had been there for a while so it confer so we were there a little bit early but not like 30 minutes we were there probably 10 minutes early nobody challenged us at a reception desk because nobody was there there were five of us we walked through this maze found the it conference room yay for us right very smart we followed the maze sat in the it conference room and then the clients came in about 4 minutes after we we got there we had the kickoff meeting we did the pen testing uh took about 3 weeks came back for the exit briefing right exit briefings are

always fun and we showed complete domain capture uh we called it what was the term it was something something by lunch so first day we had complete domain control by lunch of that day and then we did our our technical experts did other things and and showed it a variety of other ways so the exit briefing the first slide was a photo of the whiteboard in the conference room where we were sitting and that photo was taken by one of us at the kickoff meeting four weeks prior okay what's important about the photo is username password written in dry erase marker on the white bu for a conference room that was not secured right we didn't break into anywhere so

was that username and password fair game for our pentesters absolutely it was fair game right and they cried fou they said you essentially you can't do that and we described how we got the information and by the way four weeks later same username and password is still it hadn't changed it was still on the white board right now that wasn't our only path to success if you will right that was the primary path because it was the easiest right if I'm a bad guy I'm going to take I'm going to go easiest most expeditious route to get to my goal and that's what it was but we also had other methods that we proved out so it was a Gamble and this was my

call on how to present this information and the gamble was how are they going to receive it right what is their perspective going to be and are they going to listen to the rest of it because cyber security isn't just about securing the the the Computing environment it's about securing the humans as well right and they failed in their regard because we walked in unan well we they knew we were coming but we walked in unchallenged okay when when we would do social engineering they allowed me to be the the dupe if you will carrying boxes of stuff to try to get into doors to locations because you know I can't see my badge because of the boxes can you

can you hold the door open for me right that type of thing and I for a state agency in Al in Santa Fe I was giving a security training course an information security awareness training course 8: a.m. on a Monday in January okay and so because I felt bad for the poor fools who had to sit in my class at 8: a.m. on a Monday morning in January I brought Donuts so I had three boxes of donuts and I didn't realize that the doors were on mag locks they didn't open before 8:00 a.m. so I didn't have a badge obviously I don't work for but here I am backpack Donuts it's cold and an employee walks up and she said can I

help you and I said well I'm giving you security training at 8 it was like 20 till 8 and uh my host isn't answering his cell phone she said oh well yeah do you know where you're going I said yes she badged me in and then went to her office and I went to the SEC so that then served as the story that I opened the security training with she was in the room in my security training I didn't Point her out but I said you know the the moral of that story is beware the guy with the Don right uh from that perspective that you can walk through a lot of situations if you have you know the best

way we did it was uh checking fire extinguishers right we're here for the annual fire extinguish check have some sort of jacket on that looks somewhat legitimate have a ball cap on it looks somewhat legitimate we're here to check fire extinguishers and where are fire extinguishers pretty much everywhere right in in commercial or public buildings right you can go UN unchallenged in those regards who's dealing with with AI in their job today on on any level right go ahead thank you appreciate it um I'm going to ask thank you for that cuz I'm going to ask questions um who raised their hand right here did you if you don't mind what what are you using AI for or how

are you in interfacing with it I can give you this mic if you want y there you go

um right now we're going through a feas feasibility assessment to roll out co-pilot to a larger audience okay and as a part of that we're going through the architectural assessment security controls and then kind of more tangential to me is rpm uses it often to generate notes from assessment meetings and a lot of other sensitive areas um so that's that's we're really kind of teeing oursel up to see if that's something we want to kind of take on and I'll I'll be loud here from an end user perspective is the data that copilot is managing is it encrypted at rest encrypted in transit yes but that is there's a pause in your voice did you hear that

yes while data encryption and especially rest and and those factors are huge I've found through this assessment the larger concern is DP taging for severity and sensitivity okay right okay okay that makes sense so while while our organization is fairly mature along that journey of having U data protection standards across the organization right the data tagging will often lift up to the user sure yeah okay so that that's a it's an area of potential weakness obviously right where is the data stored that that co-pilot is managing is it stored locally or is it stored in Azure Azure and is that continental US Azure or is it wherever asure put multi tendency multi across the world does that matter to the the

the organization absolutely okay so um and I'm most familiar with AWS so pardon my naive on Microsoft's products uh right AWS gov Cloud right keeps allegedly should keep your data in continental US right I'm assuming Azure and Google Cloud have this have similar environments absolutely all right got it thank you for that sure um who else is working in Ai and I just wanted a description ma'am if I may oh back here right there thank you sorry you have no idea where I'm pointing I'm just wildly pointing here I was hiding in the shadows so we are a defense Industrial company and we opted to block co-pilot um it's not on a GCC High tenant yet

yeah um instead what we decided to do because we do a lot research and a lot of development you're not going to stop Engineers from playing with large Lang models right so we've stood up an internal data link okay and that way we can control our boundaries we know where it lives we know how it's encrypted um so that's what co-pilot is looking at or using that's well okay no we blocked it entirely our system completely and we're just we've stood up an internal okay controlled AI model okay um that gives our Engineers a little bit of room to is it a proprietary uh model yes okay got it and a quick shout out to cmmc

anybody yes yes yay H anyway go on yeah yeah anyway um the joke now is that un like the team Lite because every time somebody mentions AI I get a little queasy right but we do have to figure out how to work with it safely sure we have to figure out how to control it because it's not going to go away so until the environment as a whole matures fair enough we want to protect our people in their hard work fair enough that that makes a lot of sense you know it seems to me that AI today is still not the AI of Science Fiction if you will right the autonomous the the what what at least

the word co-pilot brings to mind is a wingman if you will for a fighter pilot right autonomous drones that follow along the plane and can support that manned aircraft if you will right but I think we're getting there very quickly right I think we're getting there in terms of energy demands it's crazy how much energy is required to do the work that chat gbt is doing or uh Google's product I they change names every week so I'm not sure what their name is this week um and uh you know on those levels so thank you for that on on the because it is interesting and it's going to be used it's a matter of how do we do it

safely all right what how am I doing on time five more minutes is there a sigh of relief I heard thank God so here's my here's my question for the group right if anybody is involved in both Quantum Computing and AI that seems to be a bit of a Holy Grail right the combination of the two and I don't know you know Quantum I I understand basics of quantum Computing but it's also very very hard to do it seems especially at scale but once those challenges are there and then you mix in large language models into that right what does that do right Quantum is interesting because of the protections it can afford and on the

negative side of things the ability to break encryption right from a security perspective and so is anybody here working in Quantum at any depth that you and if you can't raise your hand don't right that's fine okay that's what I thought uh from that point of view so it's a constantly evolving field right please keep in mind the position of the person you're giving either good or bad information to right cyber security here's what here are my hopes for cyber security does anybody remember the quality management movement in the 90s in the not 1890s 1990s uh quality management right you have a chief quality officer Quality quality Quality quality I've looked and you can't find

Chief quality officer roles anymore why because those things have been hopefully those Concepts have been now built into right from software development the the isra of uh development uh Agile development right we're always testing we're testing we're testing sometimes as is evidenced today with Microsoft and crowd strike the test didn't go far enough okay we get that I'm hoping that no offense to anybody who has cyber security in their job title but I'm hoping societally right that we don't have the titles in 20 years because the concepts are built into the place right now it's gosh that's a cyber security person's role that's a Chief Information Security officer's responsibility not me as the end user but yeah we are right because we're

giving end users who aren't cyber Security Professionals access to vast amounts of information based on their roles role based access right sometimes correctly sometimes incorrectly and if you you know you walk away and some walks away AG reeved with that laptop you you're hoping you can shut them down okay if there are any now Andrew you set the bar for questions are there any questions that I can answer for you at this time question sir um you mention yes go ahead you uh you mentioned that you had experience sounds like with uh aw AWS cloud and cmnc so it's curious if you notice or know if uh the FED ramp uh Cloud systems that they uh migrated to

uh red five the RMF yet or not I don't know if they are there yet and and so I don't know it's current status today but they have to right pure and simple they have to get there otherwise they lose lots and lots and lots of business so that's a it's a matter of when not if I think other questions everybody's don't raise your hand don't raise your hand all right I really appreciate the time I hope you enjoy the rest of the conference and thank you for your for your attention today appreciate it