SlideShare ist ein Scribd-Unternehmen logo

Hackers contemplations

Als PPTX, PDF herunterladen
C
Chris Roberts

Given at the BugCrowd conference in January 2019, this was the first time for doing this deck.: For 25 years or more we have fought the battle of passwords and patches while all around us, the world has developed, data has exponentially increased, attack surfaces are everywhere and technology had quite simply forced the human race to consider the evolution cycle in single lifespans as opposed to millennia. During the last 25 years we have done little to protect the charges we are responsible for, we have failed to secure systems, allowed financial attacks, infrastructure attacks, and now attacks directly against humans. At what point will we be able to stem the bleeding and actually take charge of our realm? Have we left it too late, or are we still able to claw back out of the abyss and face our adversary in a more asymmetrical defensive manner? Can we actually provide safety and security to our charges or will we continue to fail? And, critically, how do we communicate this, and educate a population that is content to watch from the sidelines, while they are being digitally eviscerated.

Technologie
1 von 91
We Reap What We Have Sown Where Do We Go From Here? Chris Roberts Chris@AttivoNetworks.com Sidragon1 (LinkedIn and Twitter)
Agenda • We’re broken – How to take 500 and make 20 • 1001 ways to remember your password – How to go back to the beginning • Our history – Painful lessons to learn • Education or eradication? – What roles do the humans play in the future? • Do no harm… – Can we use this? • Security, safety, risk? – What is right, and how to use it • Replace the blinky stuff – What is going to work to safeguard the future? • Wrapping it all up – Some wise words from someone else
Intro
The Purple Goatee… • In the InfoSec/Cyber industry for too many years... • Broke Nigeria, ISS, Mars Rover, airplanes, trains, etc. – Researched a whole lot more… • Now with Attivo Networks (official stuff comes out next week). – Why? Because I’m fed up of the blinky reactive stuff… – Why? Because the deceptive space gives us asymmetric defense for once. • Currently researching humans, consciousness computing and shipping. – Because there’s better ways than passwords! – Because the future’s not already scary enough  – Because it seemed like a good idea to make a ship roll over… • Might also have a whisky collection that borders on the obsessive… – Occasionally travels with the whisky football (thanks Inbar!)
We’re Broken
2018 Top 10: (2.5 billion) • Aadhar: 1.1 billion • Marriott/Starwood 350-500 million • Exactis: 340 million • MyFitnessPal: 150 million • Quora: 100 million • MyHeritage: 92 million • Cambridge: 87 million • Google+ 52.5 million • Chegg: 40 million • Facebook: 29 million Privacy Rights Computer Business Review Experian
124 Billion For What?!?
386 Conferences…
Hundreds Of Vendors Lying
Oh, That Reminds Me…
Change The Paradigm! How “Hackers” see themselves Who “Hackers” ACTUALLY are How the media and a LOT of society SEE’S “Hackers”
How Do We Fix This? How do we take 1,200 vendors and find the few good one? • Shoot the blinky lights (-350) • Taser the AI/ML (-300) • Cattle prod to BlockCypherSIEMIntel (-200) • More reactive stuff? (-200) • “We’ve got a solution for all of it” (-100) DO • Focus on those who listen more than talk. • Talk with those who focus on outcomes, metrics and improvements within both human AND technical realms. • Look for proactive, predictive AND solutions that focus on asymmetric defense. • Look for solutions NOT Band-Aids.
Worst case, play buzzword bingo: The winning vendor is whomever uses the LEAST buzzwords!
1001 Ways To Remember Password
Band-Aid Not Fixing… • HOW many companies are out there trying to solve ONE simple problem? • HOW many billions will we spend on password management (answer 2019, $10 Billion or so) • How many solutions out there overly complicate a simple thing… • It’s a freaking password, we’ve had them since the 60’s and we’ve still NOT solved them!
Goodbye Passwords
Mapping The Brain… Left: Recording my brain interacting with my test computer Right: Replayed a heap of times along with phone and two other devices. The brain interacting with the various systems, get a baseline with some deviation
2020 Password Management Not MitM, but Drill in the Middle…
Same Issues, Different Application: • We’ve been talking about transportation, intermodal and all things with wings, wheels, tracks, tyres and fins for 10 years or more… • As researchers, we’ve shouted from the tallest places, and still MANY of the industries don’t pay attention… • So, time to put the hammer down!
Planes Today… ALL the data ALL the time ALL the locations 10,000 Sensors in wing 7-8TB data per day 5,000 data points a sec. (engines)
Yea…Guess Who’s Going Back To Planes
Transportation & Intermodal
Cars And Lorries
Ships Through The Front Door… Open RDP to a few container ships??
Make It Roll Over… RDP to ship then Maintenance system scan to: Ballast control module…May 2018
And…Over Again SATCOM – Navigation – RDP – Maintenance – Ballast Control
Locomotives: What to do when you get banned from several airlines…
Trains, Signals And Rail Yards… Rail yard, run by 3rd party, manages freight across the entire country. TELNET access, ID=Admin PWD=Admin1 GE-EMD Locomotive Cellular, rail-line or network access to train ID=Admin PWD=000000 ElectroLogIXS switch (scattered ALL over the USA.) Allows signals to be interrupted AND changed… Man NOT Present, bypassed. PWD=password Can change signals from RED to GREEN Etc.
3 years of research and still NOBODY is really listening.
Why Can We Still Break Everything?
Our History…
Computing, IT, InfoSec, CyberBS
Wrong!
The Early Years..
What Happened?
Advertising targeted the boys and the teenagers… The “male geniuses” came into being…
And This BS…
We Need To Bring Back BALANCE!
Applied Knowledge…
We Need People Who Care...
Speaking Of Humans…
Education Or Eradication?
Fix The Basics!
Back to Basics • The human: – 1 hour of awareness training PER year – ½ session of “don’t click shit” – ½ session of “don’t send shit” – No understanding of balancing work and life security – P@ssw0rd1 used at work and on Facebook etc. – Thinks the “S” in HTTPS is for wimps
Fix the humans
Change the conversation Safety NOT Security
Back to Basics (2) • Your computers: – The ones on the FLAT network running W2k – The ones in the warehouse running XP – The ones the vendor said don’t touch – The ones on the Internet with RDP!! – The ones on the Internet with 1433/3306/Etc. – The ones you don’t even know about!
Remove the easy ways in!
Back to Basics (3) • Your perimeter: – Accept it, you don’t have one – The laptops, iPhones, IoT took your control away – Computer No1 on YOUR network is hacked – 2018’s NGIPS/UBA/NGFW isn’t going to help – Reactive, static defenses suck and don’t work – There is NO cake, no fairy and NO simple answer – Start looking at preventative, proactive, predictive
Get eyes inside your world!
Back to Basics (4) • Passwords (still) – Stop the re-use! – Teach pass phrases and password vaults. – Teach separation/segmentation – 2FA, it’s NOT hard to integrate – All your users DON’T need to be admin! – All your admins NEED to be separated – All your developers DON’T need to hardcode
Education and simpler integration
Back to Basics (5) • Get a plan – Face it, shit’s going to hit the fan at some point. – Be prepared, simpler to reach for the IR forms than wonder WHAT to do… – Have the communications plan in place ready to go… – Have the humans prepared. (No, not cannibalism) – Practice makes perfect, headless chicken mode is NOT needed… – Know the steps (OODA or NIST IR)
Get a plan!
If We Fail To Educate…
AI: Best Case Scenario… We can’t look after ourselves let alone each other.
The system wakes up…Realizes we’ll never listen as a collective species. Pops smoke and exit’s stage left…
Worst Case Scenario…
Do No Harm, Can It Work?
What Is It? “Given an existing problem, it may be better not to do something, or even to do nothing, than to risk causing more harm than good.” Basically the OODA loop (where A might equal simply leaving it alone!)
Or, In Our Language…
PS: Duct Tape Does NOT Fix Everything…
As An Industry… • Do we have the discipline to take a step back and understand that our approach for the last 25+ years has NOT worked? • Do we have the humility to go to the business and ask for their help in understanding HOW to efficiently integrate? • Can we talk business risk and NOT geek?
Security, Safety OR Risk?
Safety vs. Security • Human’s have evolved over the last 50-60,00 years. • Humans have always been targeted, depending upon various circumstances. • We UNDERSTAND safety. • Security is NOT part of our language.
There is NO such thing as security. There is just the measurement of RISK.
• Arguably there is nothing that can be totally secured. – Therefore, does a state of security really exist? – If yes, then HOW do you measure security? – If no, then WHY are we going round in circles trying to tell folks what exactly?!? • Change the conversations, talk about risk. – NOT “cyber risk” but simply business risk. – We know that companies have quantified risk for as long as someone’s been willing to sell insurance. – If we can’t beat them…join them! Risk Not Security:
Existential Crisis For InfoSec…
Replace The Blinky Stuff…
Static Defense…
Static Defenses (Mk2)
Walls… Fire, Brick, Etc. “Walls for the last 4,100 years have provided temporary relief at best, but a fools folly for the most part. They are nothing more than a willy waving exercise designed to attract MORE attention and innovation in how to circumvent and bypass.”
More Blinky Lights… • You have SIEM installed…and more alerts than a team of minions could ever handle. • You WOULD have policies, procedures and controls IF you could all agree… • You get a penetration test, but let’s face it…most of the time it’s a checkbox NOT an actual off the leash test… • You congratulate yourself when the auditor leaves WITHOUT finding the skeletons. • You don’t have good metrics to report to the board…
Assets! How many of you KNOW what assets you HAVE Let alone where they are…
So, That Just Shot Endpoint too…
Blunt • You don’t have a perimeter: – You lost that when you allowed email to become mobile and the cloud took it to a whole new level, let alone your 3rd parties and supply chain have access everywhere... – When the coffee machine talks to the fridge and Alexa answers…you don’t have a perimeter! • You haven’t fixed the basics: – Patches done ALL over the place (on stuff you can find) hopefully…ish – You have an SDLC for developers and all those teams are managed correctly? – You have shared code ALL over your apps, and don’t know it. – Defaults in place, passwords not separated, local admin for users? – You train your users annually and expect them to remember? (never mind PPC’s) • I’m here.. – And you are not watching all your logs ALL the time OR you’ve tuned me out? – You think that antivirus is effective or rely upon endpoint protection. – You think your firewall’s going to save you…
Preventative, Proactive, Deceptive! Asymmetric Defense!
Explain! Your current network… Building in asymmetric defense
Wrapping It All Up…
Our History
Our Future
All Of Us… • Irrespective of your background. • Irrespective of your race, creed, color, faith, or eye color. • Absolutely irrespective of your orientation! • Change takes ALL of us. – This isn’t securities problem, it isn’t the researchers fault, we need to stop blaming the hackers. – This isn’t the C-Suites blame to carry, nor is it the users issue to solve. Developers need to be out of the firing line as does EVERYONE in the business. • We ALL take some of the responsibility, therefore we ALL have to solve it…together!
Collaborate Or Die
5 million apps, 6 billion connected people, 26 Billion devices, 3 million shortfall in InfoSec…
Breaking things is easy… …fixing them is a whole lot harder
“We may have all come on different ships, but we’re in the same boat now” Martin Luther King, Jr. 89
I will fail We will succeed
“So long and thanks for all the fish” Douglas Adams, you are missed. Thank you to BugCrowd AND everyone listening!

Empfohlen

Gunning for granny
Gunning for grannyGunning for granny
Gunning for grannyChris Roberts
 
Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Chris Roberts
 
Artificial Intelligence in InfoSec
Artificial Intelligence in InfoSecArtificial Intelligence in InfoSec
Artificial Intelligence in InfoSecChris Roberts
 
GrrCon 2018 - Getting Into InfoSec
GrrCon 2018 - Getting Into InfoSecGrrCon 2018 - Getting Into InfoSec
GrrCon 2018 - Getting Into InfoSecChris Roberts
 
computer and society impact of Computer in society
computer and society impact of Computer in society computer and society impact of Computer in society
computer and society impact of Computer in society Sumama Shakir
 
Secular Technological Tailwinds
Secular Technological TailwindsSecular Technological Tailwinds
Secular Technological TailwindsDionisio Chiuratto Agourakis
 
Impact of computers on society
Impact of computers on societyImpact of computers on society
Impact of computers on societyMiddle East International School
 
Unit One Technology And You
Unit One Technology And YouUnit One Technology And You
Unit One Technology And Youtammyl66
 

Empfohlen

Gunning for granny
Gunning for grannyGunning for granny
Gunning for grannyChris Roberts
 
Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Chris Roberts
 
Artificial Intelligence in InfoSec
Artificial Intelligence in InfoSecArtificial Intelligence in InfoSec
Artificial Intelligence in InfoSecChris Roberts
 
GrrCon 2018 - Getting Into InfoSec
GrrCon 2018 - Getting Into InfoSecGrrCon 2018 - Getting Into InfoSec
GrrCon 2018 - Getting Into InfoSecChris Roberts
 
computer and society impact of Computer in society
computer and society impact of Computer in society computer and society impact of Computer in society
computer and society impact of Computer in society Sumama Shakir
 
Secular Technological Tailwinds
Secular Technological TailwindsSecular Technological Tailwinds
Secular Technological TailwindsDionisio Chiuratto Agourakis
 
Impact of computers on society
Impact of computers on societyImpact of computers on society
Impact of computers on societyMiddle East International School
 
Unit One Technology And You
Unit One Technology And YouUnit One Technology And You
Unit One Technology And Youtammyl66
 
advantages and disadvanteges of computer
advantages and disadvanteges of computeradvantages and disadvanteges of computer
advantages and disadvanteges of computerJay-R Diacamos
 
IT impact on health
IT impact on healthIT impact on health
IT impact on healthArcot Prasad
 
advantage and disadvantage of technology
advantage and disadvantage of technology advantage and disadvantage of technology
advantage and disadvantage of technology Ziyad Siso
 
Impact of computers on Society
Impact of computers on SocietyImpact of computers on Society
Impact of computers on SocietyRamki M
 
Weakness and strengths of computer
Weakness and strengths of computerWeakness and strengths of computer
Weakness and strengths of computerAmanjot_kaur
 
The Programmable Internet of Things
The Programmable Internet of ThingsThe Programmable Internet of Things
The Programmable Internet of ThingsRich Miller
 
CTO Straight Talk Issue 1
CTO Straight Talk Issue 1CTO Straight Talk Issue 1
CTO Straight Talk Issue 1HCL Technologies
 
Postive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computerPostive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computermanju rani
 
Positive and Negative Impacts of Computer
Positive and Negative Impacts of ComputerPositive and Negative Impacts of Computer
Positive and Negative Impacts of ComputerHina Anjum
 
Work or Play
Work or PlayWork or Play
Work or PlayUniversity of Hertfordshire
 
Positive and negative impact by m.talha
Positive and negative impact by m.talhaPositive and negative impact by m.talha
Positive and negative impact by m.talhaMuhammedTalha7
 
Trends that threaten IT departments and CIOs
Trends that threaten IT departments and CIOsTrends that threaten IT departments and CIOs
Trends that threaten IT departments and CIOsTerry White
 
Digital Etiquette
Digital EtiquetteDigital Etiquette
Digital Etiquette13sh
 
Ethical issues
Ethical issuesEthical issues
Ethical issuessamkvarughese
 
Cyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networkingCyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networkingYUSRA FERNANDO
 
ICT in Society
ICT in SocietyICT in Society
ICT in SocietyMarlon Jamera
 
Lecture 2: Operational Procedures
Lecture 2: Operational ProceduresLecture 2: Operational Procedures
Lecture 2: Operational ProceduresS. M. Ali Murtazawi
 
Advantages and Disadvantages of Technology
Advantages and Disadvantages of TechnologyAdvantages and Disadvantages of Technology
Advantages and Disadvantages of TechnologyPave Maris Cortez
 
Ict And Society
Ict And SocietyIct And Society
Ict And Societymrbennett2009
 
Definition Of Computers
Definition Of ComputersDefinition Of Computers
Definition Of ComputersTaufik
 
Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2Chris Roberts
 
1_Maverick Introduction To Digital Literacy.pdf
1_Maverick Introduction To Digital Literacy.pdf1_Maverick Introduction To Digital Literacy.pdf
1_Maverick Introduction To Digital Literacy.pdfPaul Woodhead
 

Weitere ähnliche Inhalte

Was ist angesagt?

advantages and disadvanteges of computer
advantages and disadvanteges of computeradvantages and disadvanteges of computer
advantages and disadvanteges of computerJay-R Diacamos
 
IT impact on health
IT impact on healthIT impact on health
IT impact on healthArcot Prasad
 
advantage and disadvantage of technology
advantage and disadvantage of technology advantage and disadvantage of technology
advantage and disadvantage of technology Ziyad Siso
 
Impact of computers on Society
Impact of computers on SocietyImpact of computers on Society
Impact of computers on SocietyRamki M
 
Weakness and strengths of computer
Weakness and strengths of computerWeakness and strengths of computer
Weakness and strengths of computerAmanjot_kaur
 
The Programmable Internet of Things
The Programmable Internet of ThingsThe Programmable Internet of Things
The Programmable Internet of ThingsRich Miller
 
Postive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computerPostive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computermanju rani
 
Positive and Negative Impacts of Computer
Positive and Negative Impacts of ComputerPositive and Negative Impacts of Computer
Positive and Negative Impacts of ComputerHina Anjum
 
Positive and negative impact by m.talha
Positive and negative impact by m.talhaPositive and negative impact by m.talha
Positive and negative impact by m.talhaMuhammedTalha7
 
Trends that threaten IT departments and CIOs
Trends that threaten IT departments and CIOsTrends that threaten IT departments and CIOs
Trends that threaten IT departments and CIOsTerry White
 
Digital Etiquette
Digital EtiquetteDigital Etiquette
Digital Etiquette13sh
 
Cyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networkingCyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networkingYUSRA FERNANDO
 
Lecture 2: Operational Procedures
Lecture 2: Operational ProceduresLecture 2: Operational Procedures
Lecture 2: Operational ProceduresS. M. Ali Murtazawi
 
Advantages and Disadvantages of Technology
Advantages and Disadvantages of TechnologyAdvantages and Disadvantages of Technology
Advantages and Disadvantages of TechnologyPave Maris Cortez
 
Definition Of Computers
Definition Of ComputersDefinition Of Computers
Definition Of ComputersTaufik
 

Was ist angesagt? (20)

advantages and disadvanteges of computer
advantages and disadvanteges of computeradvantages and disadvanteges of computer
advantages and disadvanteges of computer
 
IT impact on health
IT impact on healthIT impact on health
IT impact on health
 
advantage and disadvantage of technology
advantage and disadvantage of technology advantage and disadvantage of technology
advantage and disadvantage of technology
 
Impact of computers on Society
Impact of computers on SocietyImpact of computers on Society
Impact of computers on Society
 
Weakness and strengths of computer
Weakness and strengths of computerWeakness and strengths of computer
Weakness and strengths of computer
 
The Programmable Internet of Things
The Programmable Internet of ThingsThe Programmable Internet of Things
The Programmable Internet of Things
 
CTO Straight Talk Issue 1
CTO Straight Talk Issue 1CTO Straight Talk Issue 1
CTO Straight Talk Issue 1
 
Postive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computerPostive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computer
 
Positive and Negative Impacts of Computer
Positive and Negative Impacts of ComputerPositive and Negative Impacts of Computer
Positive and Negative Impacts of Computer
 
Work or Play
Work or PlayWork or Play
Work or Play
 
Positive and negative impact by m.talha
Positive and negative impact by m.talhaPositive and negative impact by m.talha
Positive and negative impact by m.talha
 
Trends that threaten IT departments and CIOs
Trends that threaten IT departments and CIOsTrends that threaten IT departments and CIOs
Trends that threaten IT departments and CIOs
 
Digital Etiquette
Digital EtiquetteDigital Etiquette
Digital Etiquette
 
Ethical issues
Ethical issuesEthical issues
Ethical issues
 
Cyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networkingCyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networking
 
ICT in Society
ICT in SocietyICT in Society
ICT in Society
 
Lecture 2: Operational Procedures
Lecture 2: Operational ProceduresLecture 2: Operational Procedures
Lecture 2: Operational Procedures
 
Advantages and Disadvantages of Technology
Advantages and Disadvantages of TechnologyAdvantages and Disadvantages of Technology
Advantages and Disadvantages of Technology
 
Ict And Society
Ict And SocietyIct And Society
Ict And Society
 
Definition Of Computers
Definition Of ComputersDefinition Of Computers
Definition Of Computers
 

Ähnlich wie Hackers contemplations

1_Maverick Introduction To Digital Literacy.pdf
1_Maverick Introduction To Digital Literacy.pdf1_Maverick Introduction To Digital Literacy.pdf
1_Maverick Introduction To Digital Literacy.pdfPaul Woodhead
 
20101008 agileee v11
20101008 agileee v1120101008 agileee v11
20101008 agileee v11Agileee
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecurityMichael Rushanan
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Tessella Consulting
Tessella ConsultingTessella Consulting
Tessella ConsultingTessella
 
Red vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsRed vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsEC-Council
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerVMware Tanzu
 
Why Can’t the Business Get Behind Streaming?! With Becky Gandillon | Current ...
Why Can’t the Business Get Behind Streaming?! With Becky Gandillon | Current ...Why Can’t the Business Get Behind Streaming?! With Becky Gandillon | Current ...
Why Can’t the Business Get Behind Streaming?! With Becky Gandillon | Current ...HostedbyConfluent
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
Technology to Improve Your (Business) Life
Technology to Improve Your (Business) LifeTechnology to Improve Your (Business) Life
Technology to Improve Your (Business) LifeGarry Polmateer
 
5G and the Invisible Interface
5G and the Invisible Interface5G and the Invisible Interface
5G and the Invisible InterfaceExperience UX
 
"The Cutting Edge" - Palletways Business Club Presentation
"The Cutting Edge" - Palletways Business Club Presentation"The Cutting Edge" - Palletways Business Club Presentation
"The Cutting Edge" - Palletways Business Club Presentationgeorge_edwards
 
Getting Schooled DerbyCon 3.0
Getting Schooled DerbyCon 3.0Getting Schooled DerbyCon 3.0
Getting Schooled DerbyCon 3.0TonikJDK
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...Steve Werby
 
Addo nov-culture-holding us accountable
Addo nov-culture-holding us accountableAddo nov-culture-holding us accountable
Addo nov-culture-holding us accountableChris Roberts
 

Ähnlich wie Hackers contemplations (20)

Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2
 
1_Maverick Introduction To Digital Literacy.pdf
1_Maverick Introduction To Digital Literacy.pdf1_Maverick Introduction To Digital Literacy.pdf
1_Maverick Introduction To Digital Literacy.pdf
 
20101008 agileee v11
20101008 agileee v1120101008 agileee v11
20101008 agileee v11
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
 
A Stranger in a Strange Land
A Stranger in a Strange LandA Stranger in a Strange Land
A Stranger in a Strange Land
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Tessella Consulting
Tessella ConsultingTessella Consulting
Tessella Consulting
 
UX for Internet of Things
UX for Internet of ThingsUX for Internet of Things
UX for Internet of Things
 
Red vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsRed vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 years
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
Why Can’t the Business Get Behind Streaming?! With Becky Gandillon | Current ...
Why Can’t the Business Get Behind Streaming?! With Becky Gandillon | Current ...Why Can’t the Business Get Behind Streaming?! With Becky Gandillon | Current ...
Why Can’t the Business Get Behind Streaming?! With Becky Gandillon | Current ...
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
Technology to Improve Your (Business) Life
Technology to Improve Your (Business) LifeTechnology to Improve Your (Business) Life
Technology to Improve Your (Business) Life
 
5G and the Invisible Interface
5G and the Invisible Interface5G and the Invisible Interface
5G and the Invisible Interface
 
"The Cutting Edge" - Palletways Business Club Presentation
"The Cutting Edge" - Palletways Business Club Presentation"The Cutting Edge" - Palletways Business Club Presentation
"The Cutting Edge" - Palletways Business Club Presentation
 
Getting Schooled DerbyCon 3.0
Getting Schooled DerbyCon 3.0Getting Schooled DerbyCon 3.0
Getting Schooled DerbyCon 3.0
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
 
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
 
Addo nov-culture-holding us accountable
Addo nov-culture-holding us accountableAddo nov-culture-holding us accountable
Addo nov-culture-holding us accountable
 
The Stadium Business - Technology of Engagement
The Stadium Business - Technology of EngagementThe Stadium Business - Technology of Engagement
The Stadium Business - Technology of Engagement
 

Kürzlich hochgeladen

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Hackers contemplations

  • 1. We Reap What We Have Sown Where Do We Go From Here? Chris Roberts Chris@AttivoNetworks.com Sidragon1 (LinkedIn and Twitter)
  • 2. Agenda • We’re broken – How to take 500 and make 20 • 1001 ways to remember your password – How to go back to the beginning • Our history – Painful lessons to learn • Education or eradication? – What roles do the humans play in the future? • Do no harm… – Can we use this? • Security, safety, risk? – What is right, and how to use it • Replace the blinky stuff – What is going to work to safeguard the future? • Wrapping it all up – Some wise words from someone else
  • 4. The Purple Goatee… • In the InfoSec/Cyber industry for too many years... • Broke Nigeria, ISS, Mars Rover, airplanes, trains, etc. – Researched a whole lot more… • Now with Attivo Networks (official stuff comes out next week). – Why? Because I’m fed up of the blinky reactive stuff… – Why? Because the deceptive space gives us asymmetric defense for once. • Currently researching humans, consciousness computing and shipping. – Because there’s better ways than passwords! – Because the future’s not already scary enough  – Because it seemed like a good idea to make a ship roll over… • Might also have a whisky collection that borders on the obsessive… – Occasionally travels with the whisky football (thanks Inbar!)
  • 6.
  • 7.
  • 8. 2018 Top 10: (2.5 billion) • Aadhar: 1.1 billion • Marriott/Starwood 350-500 million • Exactis: 340 million • MyFitnessPal: 150 million • Quora: 100 million • MyHeritage: 92 million • Cambridge: 87 million • Google+ 52.5 million • Chegg: 40 million • Facebook: 29 million Privacy Rights Computer Business Review Experian
  • 9. 124 Billion For What?!?
  • 13. Change The Paradigm! How “Hackers” see themselves Who “Hackers” ACTUALLY are How the media and a LOT of society SEE’S “Hackers”
  • 14. How Do We Fix This? How do we take 1,200 vendors and find the few good one? • Shoot the blinky lights (-350) • Taser the AI/ML (-300) • Cattle prod to BlockCypherSIEMIntel (-200) • More reactive stuff? (-200) • “We’ve got a solution for all of it” (-100) DO • Focus on those who listen more than talk. • Talk with those who focus on outcomes, metrics and improvements within both human AND technical realms. • Look for proactive, predictive AND solutions that focus on asymmetric defense. • Look for solutions NOT Band-Aids.
  • 15. Worst case, play buzzword bingo: The winning vendor is whomever uses the LEAST buzzwords!
  • 16. 1001 Ways To Remember Password
  • 17. Band-Aid Not Fixing… • HOW many companies are out there trying to solve ONE simple problem? • HOW many billions will we spend on password management (answer 2019, $10 Billion or so) • How many solutions out there overly complicate a simple thing… • It’s a freaking password, we’ve had them since the 60’s and we’ve still NOT solved them!
  • 19. Mapping The Brain… Left: Recording my brain interacting with my test computer Right: Replayed a heap of times along with phone and two other devices. The brain interacting with the various systems, get a baseline with some deviation
  • 20. 2020 Password Management Not MitM, but Drill in the Middle…
  • 21. Same Issues, Different Application: • We’ve been talking about transportation, intermodal and all things with wings, wheels, tracks, tyres and fins for 10 years or more… • As researchers, we’ve shouted from the tallest places, and still MANY of the industries don’t pay attention… • So, time to put the hammer down!
  • 22. Planes Today… ALL the data ALL the time ALL the locations 10,000 Sensors in wing 7-8TB data per day 5,000 data points a sec. (engines)
  • 23. Yea…Guess Who’s Going Back To Planes
  • 26. Ships Through The Front Door… Open RDP to a few container ships??
  • 27. Make It Roll Over… RDP to ship then Maintenance system scan to: Ballast control module…May 2018
  • 28. And…Over Again SATCOM – Navigation – RDP – Maintenance – Ballast Control
  • 29. Locomotives: What to do when you get banned from several airlines…
  • 30. Trains, Signals And Rail Yards… Rail yard, run by 3rd party, manages freight across the entire country. TELNET access, ID=Admin PWD=Admin1 GE-EMD Locomotive Cellular, rail-line or network access to train ID=Admin PWD=000000 ElectroLogIXS switch (scattered ALL over the USA.) Allows signals to be interrupted AND changed… Man NOT Present, bypassed. PWD=password Can change signals from RED to GREEN Etc.
  • 31. 3 years of research and still NOBODY is really listening.
  • 32. Why Can We Still Break Everything?
  • 38. Advertising targeted the boys and the teenagers… The “male geniuses” came into being…
  • 40. We Need To Bring Back BALANCE!
  • 42. We Need People Who Care...
  • 46. Back to Basics • The human: – 1 hour of awareness training PER year – ½ session of “don’t click shit” – ½ session of “don’t send shit” – No understanding of balancing work and life security – P@ssw0rd1 used at work and on Facebook etc. – Thinks the “S” in HTTPS is for wimps
  • 49. Back to Basics (2) • Your computers: – The ones on the FLAT network running W2k – The ones in the warehouse running XP – The ones the vendor said don’t touch – The ones on the Internet with RDP!! – The ones on the Internet with 1433/3306/Etc. – The ones you don’t even know about!
  • 50. Remove the easy ways in!
  • 51. Back to Basics (3) • Your perimeter: – Accept it, you don’t have one – The laptops, iPhones, IoT took your control away – Computer No1 on YOUR network is hacked – 2018’s NGIPS/UBA/NGFW isn’t going to help – Reactive, static defenses suck and don’t work – There is NO cake, no fairy and NO simple answer – Start looking at preventative, proactive, predictive
  • 52. Get eyes inside your world!
  • 53. Back to Basics (4) • Passwords (still) – Stop the re-use! – Teach pass phrases and password vaults. – Teach separation/segmentation – 2FA, it’s NOT hard to integrate – All your users DON’T need to be admin! – All your admins NEED to be separated – All your developers DON’T need to hardcode
  • 54. Education and simpler integration
  • 55. Back to Basics (5) • Get a plan – Face it, shit’s going to hit the fan at some point. – Be prepared, simpler to reach for the IR forms than wonder WHAT to do… – Have the communications plan in place ready to go… – Have the humans prepared. (No, not cannibalism) – Practice makes perfect, headless chicken mode is NOT needed… – Know the steps (OODA or NIST IR)
  • 57. If We Fail To Educate…
  • 58. AI: Best Case Scenario… We can’t look after ourselves let alone each other.
  • 59. The system wakes up…Realizes we’ll never listen as a collective species. Pops smoke and exit’s stage left…
  • 61. Do No Harm, Can It Work?
  • 62. What Is It? “Given an existing problem, it may be better not to do something, or even to do nothing, than to risk causing more harm than good.” Basically the OODA loop (where A might equal simply leaving it alone!)
  • 63. Or, In Our Language…
  • 64. PS: Duct Tape Does NOT Fix Everything…
  • 65. As An Industry… • Do we have the discipline to take a step back and understand that our approach for the last 25+ years has NOT worked? • Do we have the humility to go to the business and ask for their help in understanding HOW to efficiently integrate? • Can we talk business risk and NOT geek?
  • 67. Safety vs. Security • Human’s have evolved over the last 50-60,00 years. • Humans have always been targeted, depending upon various circumstances. • We UNDERSTAND safety. • Security is NOT part of our language.
  • 68. There is NO such thing as security. There is just the measurement of RISK.
  • 69. • Arguably there is nothing that can be totally secured. – Therefore, does a state of security really exist? – If yes, then HOW do you measure security? – If no, then WHY are we going round in circles trying to tell folks what exactly?!? • Change the conversations, talk about risk. – NOT “cyber risk” but simply business risk. – We know that companies have quantified risk for as long as someone’s been willing to sell insurance. – If we can’t beat them…join them! Risk Not Security:
  • 71. Replace The Blinky Stuff…
  • 74. Walls… Fire, Brick, Etc. “Walls for the last 4,100 years have provided temporary relief at best, but a fools folly for the most part. They are nothing more than a willy waving exercise designed to attract MORE attention and innovation in how to circumvent and bypass.”
  • 75.
  • 76. More Blinky Lights… • You have SIEM installed…and more alerts than a team of minions could ever handle. • You WOULD have policies, procedures and controls IF you could all agree… • You get a penetration test, but let’s face it…most of the time it’s a checkbox NOT an actual off the leash test… • You congratulate yourself when the auditor leaves WITHOUT finding the skeletons. • You don’t have good metrics to report to the board…
  • 77. Assets! How many of you KNOW what assets you HAVE Let alone where they are…
  • 78. So, That Just Shot Endpoint too…
  • 79. Blunt • You don’t have a perimeter: – You lost that when you allowed email to become mobile and the cloud took it to a whole new level, let alone your 3rd parties and supply chain have access everywhere... – When the coffee machine talks to the fridge and Alexa answers…you don’t have a perimeter! • You haven’t fixed the basics: – Patches done ALL over the place (on stuff you can find) hopefully…ish – You have an SDLC for developers and all those teams are managed correctly? – You have shared code ALL over your apps, and don’t know it. – Defaults in place, passwords not separated, local admin for users? – You train your users annually and expect them to remember? (never mind PPC’s) • I’m here.. – And you are not watching all your logs ALL the time OR you’ve tuned me out? – You think that antivirus is effective or rely upon endpoint protection. – You think your firewall’s going to save you…
  • 81. Explain! Your current network… Building in asymmetric defense
  • 85. All Of Us… • Irrespective of your background. • Irrespective of your race, creed, color, faith, or eye color. • Absolutely irrespective of your orientation! • Change takes ALL of us. – This isn’t securities problem, it isn’t the researchers fault, we need to stop blaming the hackers. – This isn’t the C-Suites blame to carry, nor is it the users issue to solve. Developers need to be out of the firing line as does EVERYONE in the business. • We ALL take some of the responsibility, therefore we ALL have to solve it…together!
  • 87. 5 million apps, 6 billion connected people, 26 Billion devices, 3 million shortfall in InfoSec…
  • 88. Breaking things is easy… …fixing them is a whole lot harder
  • 89. “We may have all come on different ships, but we’re in the same boat now” Martin Luther King, Jr. 89
  • 90. I will fail We will succeed
  • 91. “So long and thanks for all the fish” Douglas Adams, you are missed. Thank you to BugCrowd AND everyone listening!