Diversity in InfoSec (not that sort!) + Rockstars vs Plumbers

um so I think box explained somebody dropped out so this was originally gonna be a half a talk so I've added like an extra talk as well this one's a bit rough and ready so and then I'll move on to the the other plans to talk so first scene in Passaic and I've gone with a lot that sort and so I'm doing this talk because I cooked quite a few different conferences I find that some of them can be quite siloed so comes to the tech conferences like insomniac or these sides and they tend to be more techie and then go to ones like is T squared that's going to get

okay try that again um so yes I go to quite a variety of conferences whether that something like a b-sides and something hack some things that techie tend to be more focused on malware pen testing Oh worst tend to be a lot more software development lifecycle dev psych ops that sort of thing and then you got IC squared ones where there are lot more regulation policy than Enterprise focused and I wanted to share that there are various roles and how they relate quite conscious that it's a university today and that there are more things than just malware reversing and pen testing rules out there so I thought I'd have the OSI model as a base I'm going

to play with it a bit but it was just to give some talking points around roles and threat models and defense for those so normally you start with a physical layer in the OSI model but I'm going to jump straight in with data because that's that's that's what we're there to protect and that's kind of the golden crown jewels whatever you want to call it it's you wouldn't have complete systems without wanting some sort of data storage and sharing information so I'm building this Grove for my backgrounds originally network engineering systems and three to hosting and then I've gone more on security side of those so with threats and you've got threat of DS data leakage and that

happens a lot in terms of offense and threats to that you've got people wanting to get access to that data that might be nation-states that might be corporate espionage and it might be criminal so I'm seeing to profit enough the data in terms of external people trying to get that that's people like security researchers white hats black hats malware writers who are finding ways in to get that data where after where it shouldn't be and separately you've got accidental data loss as well and that's why it's good to have policies processes and tools so in terms of defending that and job opportunities you've got governance roles information protection roles risk compliance you've got regulations in rolls around

those so GDP are with GDP are coming in there were data protection officer rolls out now and then in terms of architects and engineers and design and operations they're the sort of people who are there to protect all the data physical again playing with definition and a bit there obviously something very different in the OSI world but in terms of of threats you've got nature to say things like tapping the data you've got buildings access and you've got disaster issues as well and you went to fire and flood and may physically destroy your data so in terms of attackers you've got people doing social engineering a mystery clams talk earlier on today but I did see him

talk at a math camp a couple of years ago you gave a really great talk on social engineering and the job opportunities there with social engineering for the roles national security GCHQ and NCSC seem a hasan try to recruit people and in terms of defenders could be anybody from um standard security guards CCTV operators in terms of defending against that you do have things like having CCTV in pressure sensors fire suppression systems backups off-site locations but you need people to run all of those things from whether that's a basic support role or people installing those systems and managing those systems so data center managers and that sort of thing for the big data repositories so

network threats there you've got things like DOS spoofing and route poisoning and insider threats people doing things like replicating courts I have seen that happen um defending that you've got things like IPSec and then people to defend that people doing network security type roles so

mr. luff my transport slide um so with transport lab you've got things like cynic attack so your dee da dee dee dos DDoS attacks again to defend those sort of things you've got people doing that sack but you've also got UPS they're reducing the systems forming part of a botnet and working for companies that develop tools that DDoS so when I read WS have some tools available if you're hosting with them in terms of UPS it's your standard of things like running antivirus and other defense in depth techniques to try and prevent people becoming part of a botnet and then I've just session presentation application all together in an in a CP IP land play

oldest form form part of application so session though you've got things like session hijacking and preventing that sort of thing is developing practices so that's not just people being good with code that's also people having oversight of development standards and that sort of thing and presentation layer in OSI terms that would normally do things like encryption decryption and that's saying with my mother terms I'm saying things like fake slides in poor UX so get their opportunities in security by design for that sort of thing intelligence so being aware if you've got if you're involved in protecting a well-known brand looking out for things like fake sites and that sort of thing and then application massive massive scope in terms of that

and very similar roles in terms of data so you're getting good coding practices developers security designers security architects in terms of people who pose a threat to you whether that's black hats or as Prime other threats miss configuration across the layers and again that comes into the process of policy and having those standards to try and reduce mistakes and the impact of those mistakes and also monitoring on those and then there's layer eight also known as people and end users so that's having things like security awareness programs in organizations it's people who are better communicating that I am who are able to train users and work with users and and also get the message across to the business so there are just

just offensive so presentations

No completely so in terms of monitoring and they just monitoring the usage yeah so only that's not critical national infrastructure and that does need protecting you can't it's date I mean that's that's a service that's a key service so two people doing things I suppose outside of the traditional roles where it's failed it's still about keeping the systems connected so it's about having things like the information control systems the ICS systems running and being able to talk rate and they need data to do that so it might be data on how much power flows coming through is there an overload is there critical incident so if we were talking shut down but they were somehow trying to control

in influences of course and overload so Chernobyl I know that was a terrible terrible accident but for somebody to force an accident by doing manipulating the power flow there are controls in place which the ice yes but it's all about the data that the ice tier system is getting back and I'm seeing a lot more wrongs advertised that are looking for ICS special access security specialists i think they've always been assumed that in the development and the so much legacy and the lifespan of philosophy systems is they're not designed to last a year or two like a mobile phone or three to five years like a PC or a server they're in for decades and decades and decades and

risk profiles changed with the internet and so much knowledge available and then connecting what would have been isolated systems to the internet and having so many more protocols and applications and tools available to people to use so it's an interesting is it services sporting services but most most businesses have some form of data that's need to run so supply chain manufacturing logistics mask there's been some articles recently about the heroic efforts that people had to go to after the not picture attack so I absolutely have their work cut out all right so diversity in skills gets so rock style versus plumbers so as mentioned earlier I've come from over an OPS background as I mentioned I was to go to

a lot of conferences and some people said why don't I I talk and apart from but I do obviously need a lot more practice and I'm a bit rusty and it's also cuz I don't do cool stuff some of the roles I've worked in it's been sixes getting patching down its identity and access management its security design its reviewing designs and looking at architecture and that sort of thing and the other reason is most enterprises and ups or consultant people can't talk about their day to day work it that's a risk both to the security of the organization and also reputational whether that's they employ or or clients so sometimes I go to a take econ and

response I get tends to be a bit like that and then I go to enterprise security events and response is a bit more like that or that and this isn't the case for everyone there are lots of great people in InfoSec and there are great techies within typical organizations and and lots of research is showing the knowledge and time no idea what happened there so um so for those of you not familiar with enterprise security it can be really really broad it's anything from securing physical environment IP data center managing air conditioning and whether there's fire and flood risk and those sorts of things missing service SFA's managing risk believe Chris Radcliffe did a talk earlier on risk it's things

like applying controls looking at standards creating policies working with policies making sure that they're enforced I think like vulnerability management which tends to be patching monitoring checking whether paths are in place things like raising awareness with an organized a within the organization getting and maintaining compliance governance and incident and crisis management detection root cause analysis the works so I've lifted this from Utah State that is the sort of thing that you do see in enterprise presentations it's not shiny it's very basic but you've got quite a lot to cover there so they are they board roles and I know sometimes people have criticized qualifications like this that they're not technical enough but there is a lot to cover and

it's not all about the technology and when you take your standard enterprise applications and you add in things like online services so whether that's ecommerce for an organisation or marketing wanting a brochure where site you end up working with digital companies or if you're lucky enough to have in-house developers and then you've also got to manage external hosting which adds in and expands your threat model and your risk or you're working with sass and cloud providers and that all needs managing as well so lots of organizations are moving into having digital apps or ioads here you sing of things like washing machines and that sort of thing now so what somebody in an enterprise security wise doing is really

going to depend on what that organization is doing whether it is something like the local council who need administration services versus somebody that you would think I was a traditional white goods manufacturer now having things like applications and I'm wanting to connect fridges and washing machines to the Internet so for most enterprise information security it's not sexy work like pentesting you're not gonna end up on BBC news but it's important work so how does this relate to security researchers including pen testers and the type of people you see speaking at more technical conferences or in the media so depending what they're doing whether that's people inversing working fancy virus companies or manage the security providers or even

just having things like the major security vulnerabilities exposed so sort of work that project food project legal projects zero dude it highlights the risks of using service providers so things like the CloudFlare issue the importance of patching there's something like heartbleed or even in how it can be having secured by design with recent specter meltdown vulnerabilities so I think the important thing I'd like researchers and pen testers to remember is your customers are not you don't look like you they don't thing like you they don't do the things that you do they don't have your expectations or assumptions if they did they wouldn't be your customers they'd do your competitors so I think it's really

important to remember that whatever the role is you're doing it will basically providing a service so people in enterprise security have different priorities their support to business I have different challenges they may not have the support from the business to do the right thing whatever that might be that might be hatching see it often said online on social media people mystified why organisations don't patch and there are a lot of reasons it might be secured by design or just being able to afford to hire better coders whatever definition of better you want to use that so at the end of the day the security teams want to have good networking applications security isn't always possible out so

researchers help keep enterprises save through the products and services that they have and vulnerabilities exposures can help secure more support from the business for the work that we do which brings me on to compliance so it's not only exposing vulnerabilities that can help enterprise security folk gain support from the business it can also compliance programs can help them - I know there's a lot of different opinions on security versus compliance I think everyone is probably an agreement with so that the top image is from Dallas compliance doesn't equal security and that the Venn diagram from red spin I think that's definitely over that they're so compliant standards such as ISO 27001 and PCI DSS requires some of the basics

to be done things like patching and user management and it tends to be getting the basics right rather than a pinkie light box that help most organizations stay secure so for researchers sometimes products such as antivirus and services for style compendious ting are deployed because they're part of an organization are deemed compliance standards such as PCI DSS so again it's about remembering that you're offering a service if you are in that sphere so my advice to enterprise security and GRC people and if you meet someone who isn't suited and booted or look how you think they should look please don't write them off it's someone write write them off some Wiggly he doesn't understand business

enterprise security or GRC you might be surprised don't be an enterprise Rockstar and dismiss lowly tech work order it's just for kids so why do we think enterprise people should go to take events outside of their day-to-day and a normal work of what value does it bring so I think it helps keep tech skills sharp and you're gaining insight and understanding emerging threats and how this relates to environment and think about updating your risk models it gives you the sense of work and the effort goes into security products and services so quite often as an enterprise security person you might end up either foreign parts of decision making team and being involved in the purchase of those

services and I think it really does add value to really understand how much work and effort goes into research and pen testing and the skills were bringing and it also why you might consider one product or service over another so depending on your organization why you can't run it all in-house a lot of companies are far too small I've quite a lot of organizations where they still don't even have a security person or security team big really big organizations like banks and now starting to advertise for roles such as malware analysts and researchers vast majority of organizations really do need to look outsourcing that and I also think it can really have a chin you

snake-oil sensor so lots of people trying to sell InfoSec products and services I think by going to more technical so more technical conferences you can start you start to know where to what sort of questions to ask when you're evaluating vendors and third-party suppliers and that it can make that decision making process easier but mainly it's about sniffing out the BS and I was like just learning something you could be fun and interesting it could even pique your interest and lead to a change in focus or role so I've been really lucky that I've been able to go to black hoodie for a couple of years one of the ladies they're roughly my age so so a decade plus in

doing systems and UPS roles and she's now gone on to be a security research and start a PhD so just getting the opportunity to try to you try something techie could lead to doing something different and interesting and leaves down a new path so advice to researchers if you meet an enterprise security compliance person that's a tech conference please say write them off they may have more tech skills that you realize as mentioned previously there are there are some especially the big companies have really technical people working for them known people who've been very very low level windows geeks some of the bigger companies and I think just the fact that there's a conference chase they are interested in learning

you should never dismiss that the other thing to remember there's no magic money trade so unless you're in a really privileged position to be an independent security researcher the chances are you're either in academia possibly self-funded or being cooperatively massively underpaid and in the future you might also be looking for private sector work if you're working for a company offering security services whether that is as a silo pentest of hiring a part of a large consultancy or MSP your salary is funded by enterprise security teams buying something that your company offers you of a service so whether it's product you're involved in developing or scale or service such as an outsource up or pen testing it gives

you an opportunity to meet your users with customers so my advice to all whatsoever type of info sake you are in the words of will Wheaton don't need it question what would you do communication so it does feel a lot like her and us versus them think of times I think sometimes some of the very technical people don't understand why being a client might be priority for business some people are so focused on the tech that the challenge of perhaps breaking something that they don't understand that the business also has over knees being compliant can save you from reputation risk as fines and just having a process in consistency also aids things like of times the

availability new tech scene so I think I think for enterprise organizations I think I tend to find that there has been more synergy between compliance and the tech teams they don't necessarily want to do the compliance work so I was with with one large organization and my focus was a compliance project and they're so busy with Arps I think it's that privatization of you've got business users are saying I need this operation operationally and you've got if dude is living documentation so I've worked with developers and some developers have gone I'm not going to document that my code is documentation and nobody likes doing admin it's tax season and all the last-minute it's done but a lot of people do you see

not fun I think that is this thing I see a lot of the promotion from people like entity SC are really promoting pentesting heavily and iswhat's have lots of CTS and yeah dudes an interesting work but it's not the only thing out there and I think there are lots of good things about governance compliance but not everybody can see that because it seemed as to as many and I think also to get it working I think you need to say so the medal of social skills to be able to talk to the business vow to get the buy-in for it there's a lots of different threads with this as well so you're not just focused

on I am somebody who's a network pentester absolutely but we're about Penn toast or something like that see it's so good I think I think the thing with it is so broad and when you start doing things like so today some ISO 27001 work was you've got to interact with so many team so how you doing identity access management part so people leading the development work on those same people who are managing all help desk processes for ideas fee you're involving HR and

so yes that would be that would be helpful and what if stairs there's nobody so much from pressure from the business and with business I tend to me marketing does it tend to be marketing so they want to be seen to be so these things like promotions that people say well we want to do X because we think is gonna drive more sales or if there's somebody offering a service there we want to be seen as the best brand and therefore we want to do this really could have this really cool app or something like that or this really cool feature and yeah they are so focused on delivering and particularly when people feel like

either that jobs on the line or bonuses on the line then I think it's really hard for them to understand getting all the extra work behind events why can't you just deliver at first but yeah I do think there needs to be a lot more communication both between compliance governance some doing a consultant role at the moment and I've done security Manti roles and having the creative people whether that's a developer will people coming up with ideas about how they deliver your digital solution there's a better understanding of how much time and effort things take to get things from an idea to development and it's not just having it holder power one weekend they're in a lighter of a big

new Pistons

and the space is an element of I'd like to see more adoption of not just ISO 27001 and PCI but it's lots of other ISO standards out there that did Forgan ization is to apply so I think raising standards in the organization to I plopped applying more more of those type of things

suppose that thing of it can be a tick box exercise in this very subjective as to how you answer something so when I was doing our search was one of you I was told by the manager at the time tend to be the auditor and really challenged on that so lots of people sort of fill it any no I'm done and I think people have looked ethical background they don't really know the right questions to ask to understand if they've really answered the question properly so somebody's given an answer that they believe to be true but it's too high level to really understand the risk that it's trying to mitigate if that makes sense so to board a question can lead to big

what's the manipulation the questions I miss Blake points and I've always seen enterprise security as a good process really I guess have you seen from your experience you be and ask us supply chain integration discussions bit more earlier really very reactive I think the business say we're doing this at the negligence I tend to state being big massive I think I've seen a few where they weren't seeing more the third part of due diligence upfront I think they've got auditors in there saying we need to see leave we've done that with it after you do it do get that but it really depends on the organization if they haven't got that oversight to begin with and they're not having to go

through an audit process they don't sit and even then you still get a lot of shadow eye to things happening so even in organizations where it was if things have come in through the proper channels then you've got a excuse to go through third party due diligence but when you've got the oh listen to come pay 13 is just for senior management and going off the bank of service agreement on their own it's good yes yes and things like proof of concept be proof of concepts becoming prediction and staying prediction and then trying to find the time and then the budget then respectively go back and do the due diligence so it does always seem a bit

like firefighting you don't think the messages got through yet I'd love it to for I don't think it has

so I think one thing would be to get work experience opportunity if you can just to see what it's like working in an organization I do worry that some people will go straight into tech companies and development houses are used to working with very Sayle people and when you're working with enterprise IT some people in that organization they're gonna have different skills and abilities so with a big organization you will have people who are doing Saturday part-time work or something shelf stacking and that sort of thing and a valued employee that they still need all the training and they're not perhaps gonna have the awareness of maturity and that sort of things I think working with is getting opportunity to

work with diverse people because that's supposed to be a world getting some work experience I think in terms of of roles I always think it's really good with when I work with junior security analysts if they get the opportunity in an organization to start out on helpdesk or at least spend some time on helpdesk you get a better understanding of who the users are in that organization and what their roles are and really what the business is about so it might not be developing that for that company ultimately probably a member of public but their business of trying to service or support in some way I do worry that I'm not seeing many stops ty ademma

communities so thing Lancaster had something via one of the college's works foundation that whole degree that was ministration engineers have been type course otherwise if it's traditional could be science there's lots of emphasis on programming it's security okay no no no that's really no no that's really interesting thank you but they they can be less operationally focused yeah I think I think it is in some ways quite easy yeah for people to get into things like pen testing because you've got all these online challengers and it's something you can do independently so I think getting to see what other IT teams do so that might be understanding what you DBA is doing because that's what you

front-end web apps passing information after you

you