BSidesSLC 2025 - Risk Management Explained Through Star Wars – Kenny Scott

What's up everybody? My name is Kenny Scott. I'm the founder and CEO of Pramify. And when people ask me what I do, uh, most people lose interest really quick. So about 20 years ago um no not not that long about two decades ago um I decided that I wanted to um you know I needed to get a job and I was thinking I would do like Wall Street or something like that because I like finance. I like Is anybody buying stocks today? Did anybody buy any stonss? Hey yeah some. Okay. So, I love markets so much and I thought that's what I was going to do. But then I took a computer science class and I started

programming. Oh, that's pretty cool. Um, so I wasn't one of those people that, oh, I've been programming forever. And so I sucked pretty bad when I was like going to interview for things, but you know who would hire me was PWC. And at the time, uh, they would hire anybody out of BYU with a pulse, right? So, I I fit in really good there with the people and um I loved the Bay Area. I loved the clients I was working on and uh just I loved it, man. I was like super like I loved that part and I loved the food in the Bay, but the work was actually like soul sucking. I freaking hated it. And every Sunday night I'd

have this like pit in my stomach just like you. Has anybody else had the pit in the stomach? It like Sunday night and you're like, "Dude, I can't do it, babe. I can't. I can't." And I would still go anyway and I I'd go to work, you know? And then I tried to do another startup with my friend and I thought I was going to be a billionaire. And I'd take my wife to like Lascatos and we'd go like get ice cream. I'm like, "We're going to have a house here. It's going to be awesome." And uh now the idea that I had was really stupid. So I was a I was a really bad

coder and also a bad business person because I was just trying to build something that I thought was cool, you know. And it turns out that people really don't care about your opinion about things that you don't know about. And so I learned that the hard way. I also wrote a bad script once that took out a data center, a joint data center at the time. I just forked the process. I'm like, we need this parsing to go faster. And I'm like, done. Let's fork it. And I didn't put an upper bound on it. And it just they didn't I found a vulnerability, right? And it was pretty freaking awesome. I took it out, went

through the whole cage. They didn't have any controls there. So anyways, uh later that like you know I was like this isn't working but I still like had kids to you know I had a couple kids by then and um I'm like I got to take care of them. So uh my wife asked me she's like hey so uh she goes like hey so what is it that you actually really hate? You always complain right? And she's pretty good to you know just listen. And she's like so what do you actually hate? I'm like just generally I hate everything about it, you know, but I was still in that job. And and she's like, "No, no, no.

You got to get like specific." And so I'm like, "Okay." And so I'm just putting things together in my own brain, kind of going through my own personal wilderness, you know, just thinking, you know, what do I do? You know, lots of Zoolander moments. And you know, um, I thought to myself, you know, if you focus on the problems that are in your sphere of influence and you focus on fixing those, um, your sphere of influence can grow. And I do like problem solving quite a bit. And what I figured out was like, hey, you know, the last business I had, no one wanted to pay me because no one cared about the problem. But when

you're a consultant, guess what they do? They give you problems that no one else wants to solve. So somebody in a cost center goes like, "Oh man, I want to go on vacation. We're going to Hawaii. Got Tahiti coming up and I don't want to do this freaking Fed ramp document, you know, and so they give that to consultants because the consultants are happy to charge their rate and just, you know, stick a body on it." That's what I said. Remember, anybody with a pulse, right? And that's their model. Right now, I don't want to disparage them too much because there's a ton of stuff that I started to figure out. And eventually once I started focusing on the problems

in my sphere of influence dude, everything changed for me. And I all of a sudden had a great career. And that was how I got into security. It was from the governance side. And I had a little bit of technical experience, not good, but familiarity. And I was never like, you know, like Bryce or anybody else like that that could do something really cool with, you know, uh, tools and the all the other guys that are presenting today are are doing something of value. So where I found my niche was how do I make risk management approachable for everybody? how because you know what what I found is that humans we're not really good at gauging risk and

sometimes we overclick on risk and we don't do things and that is just my experience. So what we're going to talk about today is risk management and so what do you guys think about when you think about risk? Huh? Anybody? Yeah. What? I'm scared of risk. You're scared of risk. Yeah. Scary. You know what I think of? We think of Oh, it's not working. Think of Star Wars. Okay. So, today I'm going to teach you what Star Wars teaches us about risk. And if you've seen this already, you're in luck. You get to hear it again. So, um Oh, yep. I forgot to change the date. Sorry. So, here we go. You guys know it, right? A long time ago

in a galaxy far, far away, there was an asset. A big asset. That's no moon. It's a space station, right? Big, huh? I think this is from a video game. This one. Who knows the video game? Nobody. and it it's a planet killer. There goes [Music] Aldderon. Okay, so that's your first thing when you think about risk as your asset. Okay, how big is it? How important is it? This is one of the most epic fails in of in all of science fiction. And so we're going to double click on it. Many, you know, brave, noble people have given up their social lives to give us numbers on the real impact that happened. Okay. So, the reactor module,

that's the key. That's a place I've len my trap. It's well hidden and unstable. One blast, only part of it will destroy the entire station. Right. Okay. This is the vulnerability, right? Every asset there might be a vulnerability on it. How big is the thermal exhaust port? Does every anybody know? The size of a wamp rat. We used to like Luke Skywalker would nail wamp rats with his T16 back on Tatooine. How big are they? Yes. I knew you guys wouldn't disappoint me. I knew it. Okay, so we got but then we got a threat, right? Got an X. Do you guys like that icon? I worked my I worked on it for like seven

hours. Okay, so we got the threat right here and then we got controls. Controls. Okay, stormtroopers take over, right? turrets. Got the dark side of the force, right? And you know, I worked a long time on those, too. If you want them, I can share them. Okay. All right. I have you not. All right. So, he think he's all confident with his control and then right th those controls and then what happens to the controls, right? Lol, dude. Control failure. Right. Here comes Right. And then we have what? Impact. Right. Controls failed. Oh, I didn't. It's on my Dang it, dude. [Music] I forgot to load it, you know. All right. Anyways. Okay. So, what's the total cost? Who knows how to

read this number? There's comma one, two, three, four, five, six. Okay. Six. Six commas. Does that make it seepilian? 193 septilian uh galactic credits, right? Not intergalactic credits. It's just the galactic. There's one galaxy, right? Far far away. So in that galaxy 193 and this is a long time ago. So adjust for inflation. Geez dude. Right. Okay. So we estimate this is from Wikipedia, right? We said, okay, so it's probably about 1 1.5 million, you know, headcount stormtroopers. Um, so you got to price that in. Pay them like 130, right? That's back then that was a lot. That was a good living. here. It's like basically your like your budget for Door Dash, right? So 130 uh 130K credits and

they're also priceless, right? The Stormtroopers. Okay. So what is the GDP, you know, of that, right? How many commas is that? 1 2 3 4 5 6 7 Seven commas octillion. So about almost five octillion. How many seconds? How many year? Dude, these numbers are just insane. Massive numbers. And then 20 years. One, two, three, four, five, six, seven. How many? Okay. So yeah, 92. I didn't have to count those again. I could have just gone four times. Okay. All right. So 92 octelian. That's so much, right? So they didn't really cost this out, right? Is my feeling. This is this is what they didn't do, right? So anyways, um you know, I was bugged about this,

you know, and Angie was wondering what's what the heck's going on. And it's bugging me, right? Why didn't the Empire put more controls around the thermal exhaust port? Okay, I found the exact meme of what was in my brain. Okay, so what even is risk management? Does anybody have a good definition? What's a who who has a good definition for risk management? I mean, yeah. Okay. So all right let's start with let's start with uh inherent risk. Okay here we go. So the inherent risk is the likelihood the inherent likelihood and the inherent impact of a threat exploiting a vulnerability without any controls in place. Okay. So, uh, if, um, you have a server that's in

a garage, what's the inherent risk associated with physical security versus the inherent risk of a server that's in an AWS data center, right? So, those are some really easy ways to think about it. Okay. Okay. So, we've got a few options that we can do. Okay. These are not mine, uh, but I kind of say them anyway. So the first thing with a risk is you say hey am I going to do something about this okay so you make a decision am I going to mitigate this risk so you're going to add controls and you're going to like optimize the process you know so that you know you can mitigate that risk to the lowest possible the risk is never

zero but you're going to make that decision the next thing you can do is share the risk like it's a pizza okay so so some other things that we for sharing the risk. Uh like cloud is a good example. So a lot of us on our systems that we build, we use S3, right? Or we use EKS, you know, in in Amazon or we use uh cloud storage in Google or whatever it is. Google shares that risk with you, the end user, right? So for S3, they do all this stuff to make sure that there's encryption enabled and they put all these controls on them, but at the end of the day, the person who has the

controls around configuring that, the end user, you can open that up for the world. So you can break all of the controls that have been given to you. So there's a shared risk model there, right? It's split between two people or more sometimes. We'll talk through it in some examples later. Next thing you can do is you can transfer the risk. Okay, so the risk of someone driving a truck into an a AWS data center and like stealing all the hard drives and you know you don't have to worry about that, right? Because AWS has that for you. They have like you know wall-mounted machine guns and all that stuff for they those are the things that we assume are

in place, right? To protect our data, right? So you transfer that. There's nothing you can do for that. Okay. The other thing you can do is just, you know, see the risk and you're just like whatever, right? Take a sip of your coffee and you're just like, it's fine. Uh, the other thing you can do is avoid it, right? So, this is I always say this is like me like when I was dating, I was just too scared, right, to go out there. So, I just said I'm not even going to try. Yeah. Okay. So, those are that's like inherent risk and we got to make a decision. And so after we've made a decision, the residual risk is the

inherent likelihood and the inherent impact of a risk exploiting a vulnerability with the controls in place. Okay. So that's your residual risk. Okay. You're letting her keep it. Would you like to know the probability of her using it against you? [Music] It's high. Let's get going. Okay. So, how do we assess risk? We suck at it generally, right? It's it's hard to do and um it's just so unknowable. So, we're going to talk about the the the methods that you use to assess risk. Uh anybody know just there's two methods that I'm looking for, right, for assessing risk. There's one that's called they they're both start with the letter Q. What's one of them? Quantitative. quant quantitative and

qualitative. Okay. Okay. We usually start with qualitative. That's the one that we we uh really start with. And here what I want everyone to understand is when you're doing qualitative risk assessment, you're looking at the experience of the person who is doing the qualitative risk assessment. So, if like for me when I was like thrown into PWC, I didn't know anything about anything. You know, I'm if I'm doing a risk assessment, I'm going to suck really bad because I don't understand people's environments. So, when you're thinking about qualitative risk assessment, you're looking for people who have been burnt, right? People who have gone through a couple incidents, people who understand things, right? And a lot of times people will outsource a

gap assessment to someone who has no freaking idea, right, of their environment. And so you're going to get the mediocre result that you deserve if you do that. Okay? So you can't abdicate these things to someone who has no idea. Okay? So let's go through a qualitative risk assessment. Let's say Star Wars is real. Okay? Let's say Star Wars is real. And you know, we know about the lore. We know about, you know, Darth Vader, right? We've seen him in staff meetings, right? You know, we see how he handles it, right? He gets upset, right? I find your lack of faith disturbing. So good. Enough of this. Enough of this. And so you go up. What if you go up to

this guy and you have no idea and he's at a bar and you say, "Hey dude, which one of those buttons calls your mom to pick you up, right?" You know, we would know like, "Hey dude, you cannot do that to him." Right? So like what's the risk of death if you're in a saber duel with Vader, right? For us, we know, right? It's high. Like K2 say it's really high. You're going to die. Okay. Okay. But here's the tougher one, right? How do you do qualitative risk assessment on the thermal exhaust port? Okay. What's the likelihood of these two bombs flying like a freaking crazy speed and they make a perfect 90 degree turn into the

little wamp wampat sized exhaust port? You know, most people are like, "Come on, dude. No." And so you're saying one blast to the reactor module and the whole system goes down. That's how you said it. The whole system goes down. I love that. Okay. All right. So, we would say, okay, um, we're like, dude, it's really low, you know, it's really low that that happens. And then you could say like the impact, I don't know. It's probably not going to blow the whole system down. And they're like, I don't know. Is it really moderate or is it just low? They remember they're probably thinking no big deal, right? So, when you go to your manager

or to your director or your VP or you're making some sort of uh risk decision and you don't have data here, you're getting like it's really really hard, you know, to explain to someone the risk of something. Really, really difficult. And I've been on those situations. So, what's the risk, Kenny? Uh, high. It's high or it's low. What does that mean? Right? And so, that's where we go into the quantitative risk. Okay? And so, we're going to put some numbers to this. Thanks to all the nerds that helped us out. Okay? This is my super simple quantitative risk assessment equation that I use. Okay? And I don't use it very often because it's really hard, but let's just look at

how we might do it like from a poor man's perspective. Okay, so we've got R equals risk impact, T equals the threat, V equals vulnerability, and assets. Let's let's let's let that be assets impacted. And then what we need to do is we need to solve for the probability. Okay. And so fortunately for us, we know what the probability of this happening was, right? Why? Who knows what it was? What was the probability, right? Okay. So, we've got, let's put some numbers in here. We got all those huge commas, comma, like lots of commas. We've got one X-wing. We got a small exhaust port, but we need what is what is the probability? Okay, great

shot, kid. That was one in a million. Okay, so we've solved for it. Right. Right there, dude. We've solved for it. That's not dude. Chump change. 92 billion, man. Just spend it, man. And it looks like I don't know. They could have put like 92 billion of controls around there. I don't know. So, they blew it, right? And you know, risk assessment is really hard, right? It it's really hard like to just to do this. It requires experience and and data and you can't overclick on everything. You got to move fast usually. So I'm going to talk a little bit about you know some of the things that I do. I think the future of risk

management looks a lot like it does today. And then we have except now we have the advent of AI. So for qualitative, these are my rules. Qualitative experience matters, quantitative data matters, and artificial intelligence, humans matter. And so I'm going to talk about some of those things. So here's some little figs that I put together for how I think about like, you know, how to do quick risk assessments. And we do this at Paramy, right? So we think of everything in terms of a stack. Okay? So stack could be something as big as a company or it could be something as as small as like your little IT team. And there's usually some sort of purpose that for

which you exist, right? So if a company exists, this is this is what we do. Here is uh here's the data that we need. So what is the data that you need to consume to fulfill your purpose? And we start there. Is that data really important? Is it uh really sensitive personal information? Then the import of the protections goes up. If it's just like you know analytics and it's not that important, it might be super low impact. And that's really important to understand. Then you see uh once you've decided how important it is, you you go through what are the people, what are the the process, and what's the technology that's used, you know, to to

to put that together. If you do that that one thing alone just understanding the data flows within your environment that changes the game for everything for everything you you start there and everything becomes a little bit simpler right at the right at the very beginning. Okay. So um let's see here. Um then you think about you know what are some of the cyber threats associated with those stacks right? So smashing attack what is it going to do? It's going to that that's the path right you someone gets tricked happens all the time unfortunately and then from there those people can exploit the the technology and get to the data. Um you can have SQL in injection where someone

might take advantage of a really bad you know vulnerability management process and so you can exploit those unpatched apps with SQL injection. That would be the path and then simply you know maybe a service outage. What's the risk of something getting fat fingered alto together, right? Um, so yeah, we I like to think in terms of that and then Oh, this is not the right. Give me a second. Give me a second. Come on. Wait a second. Dude, where's my kitten? Oh, I'm scared. I can't find it. I'm trying to ah escape. Okay. So, what we do is we do these things called risk solutions. So, everybody that gets into our platform, we set up a bunch of risk

solutions for them. Um, just like right out of the box based on the normal processes that we see. Okay. So, uh what are some of the uh what are some of the things that can that can uh mitigate risk? Right? So, strong multiffactor authentication mit mitigates the risk associated with smishing by a lot. Okay, that's a that's a really easy one and it's crazy how much doesn't have that, right? Super super easy, right? And then um setting that up correctly is is important too, right? Like the MFA bombing, where do you want to put your uh your authentication, right? Um web app scans, those are other risk solutions. Some of you guys do this for your companies. You're you're

scanning apps and you're finding the vulnerabilities. uh those DOS mitigation techniques. Route 53 can be a part of that. AWS shield can be a part of that. Um Cloudflare has a great solution for this. You know, people you don't have to like reinvent the the the wheel, right? And then automated backup. Again, the risk there is greatly mitigated if you're using a cloud solution that has all this stuff backed up. like S3 going to a different region is so freaking easy versus if you're in a data center, you're going to have to put together some other solution, right, for that, right? Okay. So, anyway, let me kind of go out of this one more time. Let me see

what else I put in here. Let's see here. Escape is okay. Anyway, we'll do that. Continuous assessment. Okay. Yeah, I'm cool here. No big deal. You're you just Yeah. What What is that? Continuously assessing these different areas, right? Technology process. Is there an issue here? Having a way to kind of continuously assess within your stack where these things happen. You know, there's great tools out here to do this. And you don't actually need to to to buy a SAS. You don't need pramify to do this. It's just a matter of inventorying your people, process, and tech, right? The data drives how important it is. The data drives how important it is and what kind of

protections you need to have in place. You don't need to protect everything, right? You don't have the same protection measures on all areas, right? So, this is my real simple way of thinking about risk management al together. Okay? So, let's go back and find where I'm at. Okay. So, keep it simple. Keep it the size of a wamp rat. Right. That's all. That's all. You can be my friend. You can connect on LinkedIn. You can follow us at Paramify. Really appreciate the time. And if you have any questions, Yeah. Yeah. and come say hi. If you want this presentation, I can share it with you. Cool. Ciao.