Given at the BugCrowd conference in January 2019, this was the first time for doing this deck.:
For 25 years or more we have fought the battle of passwords and patches while all around us, the world has developed, data has exponentially increased, attack surfaces are everywhere and technology had quite simply forced the human race to consider the evolution cycle in single lifespans as opposed to millennia. During the last 25 years we have done little to protect the charges we are responsible for, we have failed to secure systems, allowed financial attacks, infrastructure attacks, and now attacks directly against humans. At what point will we be able to stem the bleeding and actually take charge of our realm? Have we left it too late, or are we still able to claw back out of the abyss and face our adversary in a more asymmetrical defensive manner? Can we actually provide safety and security to our charges or will we continue to fail? And, critically, how do we communicate this, and educate a population that is content to watch from the sidelines, while they are being digitally eviscerated.
Driving Behavioral Change for Information Management through Data-Driven Gree...
Hackers contemplations
1. We Reap What We Have Sown
Where Do We Go From Here?
Chris Roberts
Chris@AttivoNetworks.com
Sidragon1 (LinkedIn and Twitter)
2. Agenda
• We’re broken
– How to take 500 and make 20
• 1001 ways to remember your password
– How to go back to the beginning
• Our history
– Painful lessons to learn
• Education or eradication?
– What roles do the humans play in the future?
• Do no harm…
– Can we use this?
• Security, safety, risk?
– What is right, and how to use it
• Replace the blinky stuff
– What is going to work to safeguard the future?
• Wrapping it all up
– Some wise words from someone else
4. The Purple Goatee…
• In the InfoSec/Cyber industry for too many years...
• Broke Nigeria, ISS, Mars Rover, airplanes, trains, etc.
– Researched a whole lot more…
• Now with Attivo Networks (official stuff comes out next week).
– Why? Because I’m fed up of the blinky reactive stuff…
– Why? Because the deceptive space gives us asymmetric defense for once.
• Currently researching humans, consciousness computing and shipping.
– Because there’s better ways than passwords!
– Because the future’s not already scary enough
– Because it seemed like a good idea to make a ship roll over…
• Might also have a whisky collection that borders on the obsessive…
– Occasionally travels with the whisky football (thanks Inbar!)
8. 2018 Top 10: (2.5 billion)
• Aadhar: 1.1 billion
• Marriott/Starwood 350-500 million
• Exactis: 340 million
• MyFitnessPal: 150 million
• Quora: 100 million
• MyHeritage: 92 million
• Cambridge: 87 million
• Google+ 52.5 million
• Chegg: 40 million
• Facebook: 29 million
Privacy Rights
Computer Business Review
Experian
13. Change The Paradigm!
How “Hackers” see themselves Who “Hackers” ACTUALLY are
How the media and a LOT of society SEE’S “Hackers”
14. How Do We Fix This?
How do we take 1,200 vendors and find the few good one?
• Shoot the blinky lights (-350)
• Taser the AI/ML (-300)
• Cattle prod to BlockCypherSIEMIntel (-200)
• More reactive stuff? (-200)
• “We’ve got a solution for all of it” (-100)
DO
• Focus on those who listen more than talk.
• Talk with those who focus on outcomes, metrics and improvements
within both human AND technical realms.
• Look for proactive, predictive AND solutions that focus on asymmetric
defense.
• Look for solutions NOT Band-Aids.
15. Worst case, play buzzword bingo:
The winning vendor is whomever
uses the LEAST buzzwords!
17. Band-Aid Not Fixing…
• HOW many companies are out there trying to solve
ONE simple problem?
• HOW many billions will we spend on password
management (answer 2019, $10 Billion or so)
• How many solutions out there overly complicate a
simple thing…
• It’s a freaking password, we’ve had them since the
60’s and we’ve still NOT solved them!
19. Mapping The Brain…
Left: Recording my brain interacting with my test computer
Right: Replayed a heap of times along with phone and two other devices.
The brain interacting with the various
systems, get a baseline with some
deviation
21. Same Issues, Different Application:
• We’ve been talking about transportation,
intermodal and all things with wings, wheels,
tracks, tyres and fins for 10 years or more…
• As researchers, we’ve shouted from the tallest
places, and still MANY of the industries don’t pay
attention…
• So, time to put the hammer down!
22. Planes Today…
ALL the data
ALL the time
ALL the locations
10,000 Sensors in wing
7-8TB data per day
5,000 data points a sec. (engines)
30. Trains, Signals And Rail Yards…
Rail yard, run by 3rd party, manages freight
across the entire country.
TELNET access, ID=Admin PWD=Admin1
GE-EMD Locomotive
Cellular, rail-line or network
access to train
ID=Admin PWD=000000
ElectroLogIXS switch (scattered ALL over the USA.)
Allows signals to be interrupted AND changed…
Man NOT Present, bypassed. PWD=password
Can change signals from RED to GREEN Etc.
31. 3 years of research and still NOBODY
is really listening.
46. Back to Basics
• The human:
– 1 hour of awareness training PER year
– ½ session of “don’t click shit”
– ½ session of “don’t send shit”
– No understanding of balancing work and life security
– P@ssw0rd1 used at work and on Facebook etc.
– Thinks the “S” in HTTPS is for wimps
49. Back to Basics (2)
• Your computers:
– The ones on the FLAT network running W2k
– The ones in the warehouse running XP
– The ones the vendor said don’t touch
– The ones on the Internet with RDP!!
– The ones on the Internet with 1433/3306/Etc.
– The ones you don’t even know about!
51. Back to Basics (3)
• Your perimeter:
– Accept it, you don’t have one
– The laptops, iPhones, IoT took your control away
– Computer No1 on YOUR network is hacked
– 2018’s NGIPS/UBA/NGFW isn’t going to help
– Reactive, static defenses suck and don’t work
– There is NO cake, no fairy and NO simple answer
– Start looking at preventative, proactive, predictive
53. Back to Basics (4)
• Passwords (still)
– Stop the re-use!
– Teach pass phrases and password vaults.
– Teach separation/segmentation
– 2FA, it’s NOT hard to integrate
– All your users DON’T need to be admin!
– All your admins NEED to be separated
– All your developers DON’T need to hardcode
55. Back to Basics (5)
• Get a plan
– Face it, shit’s going to hit the fan at some point.
– Be prepared, simpler to reach for the IR forms than
wonder WHAT to do…
– Have the communications plan in place ready to go…
– Have the humans prepared. (No, not cannibalism)
– Practice makes perfect, headless chicken mode is NOT
needed…
– Know the steps (OODA or NIST IR)
62. What Is It?
“Given an existing problem, it may be better not to
do something, or even to do nothing, than to risk
causing more harm than good.”
Basically the OODA loop (where A might equal simply leaving it alone!)
65. As An Industry…
• Do we have the discipline to take a step back and
understand that our approach for the last 25+
years has NOT worked?
• Do we have the humility to go to the business
and ask for their help in understanding HOW to
efficiently integrate?
• Can we talk business risk and NOT geek?
67. Safety vs. Security
• Human’s have evolved over the
last 50-60,00 years.
• Humans have always been
targeted, depending upon
various circumstances.
• We UNDERSTAND safety.
• Security is NOT part of our
language.
68. There is NO such thing as security.
There is just the measurement of RISK.
69. • Arguably there is nothing that can be totally secured.
– Therefore, does a state of security really exist?
– If yes, then HOW do you measure security?
– If no, then WHY are we going round in circles trying to tell
folks what exactly?!?
• Change the conversations, talk about risk.
– NOT “cyber risk” but simply business risk.
– We know that companies have quantified risk for as long as
someone’s been willing to sell insurance.
– If we can’t beat them…join them!
Risk Not Security:
74. Walls… Fire, Brick, Etc.
“Walls for the last 4,100 years have provided
temporary relief at best, but a fools folly for the
most part. They are nothing more than a willy
waving exercise designed to attract MORE
attention and innovation in how to circumvent and
bypass.”
75.
76. More Blinky Lights…
• You have SIEM installed…and more alerts than a team of
minions could ever handle.
• You WOULD have policies, procedures and controls IF you
could all agree…
• You get a penetration test, but let’s face it…most of the time
it’s a checkbox NOT an actual off the leash test…
• You congratulate yourself when the auditor leaves WITHOUT
finding the skeletons.
• You don’t have good metrics to report to the board…
79. Blunt
• You don’t have a perimeter:
– You lost that when you allowed email to become mobile and the cloud took it to a whole
new level, let alone your 3rd parties and supply chain have access everywhere...
– When the coffee machine talks to the fridge and Alexa answers…you don’t have a
perimeter!
• You haven’t fixed the basics:
– Patches done ALL over the place (on stuff you can find) hopefully…ish
– You have an SDLC for developers and all those teams are managed correctly?
– You have shared code ALL over your apps, and don’t know it.
– Defaults in place, passwords not separated, local admin for users?
– You train your users annually and expect them to remember? (never mind PPC’s)
• I’m here..
– And you are not watching all your logs ALL the time OR you’ve tuned me out?
– You think that antivirus is effective or rely upon endpoint protection.
– You think your firewall’s going to save you…
85. All Of Us…
• Irrespective of your background.
• Irrespective of your race, creed, color, faith, or eye color.
• Absolutely irrespective of your orientation!
• Change takes ALL of us.
– This isn’t securities problem, it isn’t the researchers fault, we
need to stop blaming the hackers.
– This isn’t the C-Suites blame to carry, nor is it the users issue
to solve. Developers need to be out of the firing line as does
EVERYONE in the business.
• We ALL take some of the responsibility, therefore we ALL
have to solve it…together!