SlideShare ist ein Scribd-Unternehmen logo

Red vs. Blue Why we’ve been getting it wrong for 25 years

Als PPTX, PDF herunterladen
EC-Council
EC-Council

Regarded as one of the world’s foremost experts on counter threat intelligence within the Information security industry, Chris Roberts constructs and directs a portfolio of defense services designed to improve the physical and digital security posture of both enterprise and government clients. With increasingly sophisticated attacks on targets of opportunity, Roberts’ unique methods of addressing the evolving threat matrix and experience with all information systems make him an indispensable partner to clients and industries that demand protection of financials, intellectual property, customer data and other protected information from attack.

Technologie
1 von 103
Red vs. Blue Why we’ve been getting it wrong for 25 years
Agenda… • Intro (and thanks to EVERYONE here and the Hacker Halted crew!) • We have 105ish slides give or take a few…hold tight • Why are we here? • Red vs. Blue • And tanks… • Mentality reset! • Some solutions (hopefully.) • Why here, why now? • Some current research AND a glimpse into the crystal ball… www.hackerhalted.com 2
Me… www.hackerhalted.com 3 • Working in InfoSec (now Cyber) industry for too many years... • Broke Nigeria, broke the ISS, the Mars Rover, airplanes, trains, etc. • Working at Acalvio, rather an awesome company! • Helping them build the next generation of deception platforms… • Why? Because Computer No.1 is already compromised… • Why? Because 25 years of chasing passwords hasn’t worked! • Currently breaking humans, AI, ML and consciousness computing… • Because the future’s not already scary enough  • Because we need a solution for the MOST annoying problem of all…
We Don’t Do Death By PowerPoint… IF YOU see someone doing DBPPT You ARE obliged to taser them! Hacker Halted Rule 303.a
Why are we here? Let us examine the humans we protect…
Overall Statement The beauty of humans is that for all that we err, we also have an equal capacity to evolve. We (the humans) are both the problem AND the solution. www.hackerhalted.com 6
Problem Statement… “HAVE” the capacity to evolve doesn’t mean we ARE evolving…
By The Numbers… • 5.5 Billion connected people… (in 2020 ish.) • Take a standard bell curve mix for tech/human/intel etc. • 15% understand or “get” security. (At most!) • 70% sheeple. • 15% can’t even spell security or use 123456 as a password. • Globally that’s 825 Million people who “get” security. • USA has 4.4% of the global bodies, so our share is 36M people. • That 36 Million will represent about 9% of the US population. • So, now we know… 9% of the US population will understand security by 2020. www.hackerhalted.com 8
The 91st Percentile… www.hackerhalted.com 9
www.hackerhalted.com 10
www.hackerhalted.com 11 Passwords!
www.hackerhalted.com 12
Where ARE We Today? • 90% or greater of attacks against environments are undertaken using KNOWN exploits. • Most organizations do NOT have a well defined or integrated data security governance program. • 75% of the IoT manufacturers will not be able to address the security risks by 2020…
And…The Remaining 9 Percent Of Us? www.hackerhalted.com 14
Sobering Statistics • Estimated $2 Trillion per year to the economy by 2019: • Financial impacts (financial, technology, pharmaceutical.) • Data losses (intellectual property etc.) • Over 800 “major” breaches: • Major being the Really nasty ones…. • 171 Million peoples identities and records lost: • That’s just the ones we know about… • Millions of new malware programs “found” • Recycle a good idea and re-use it to target other data… • Let’s not forget the tools “lost” by our agencies… www.hackerhalted.com 15
And… It Get’s Worse… • In the US, 55% of men and 69% of women said no teacher or career counselor ever mentioned the idea of a CyberSecurity career. • Globally, 57% of men and 66% of women said no teacher or career counselor ever mentioned the idea of a CyberSecurity career. • In the US, 51% have never received a formal CyberSecurity lesson. • Globally, 58% have never received a formal CyberSecurity lesson. www.hackerhalted.com 16
No Worries, We’ve Got It Covered… www.hackerhalted.com 17
A Little More Bad News… • The demand for the (CyberSecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million. (Michael Brown CEO Symantec) • Cisco Annual Security Report warned that the worldwide shortage of information security professionals is at 1 million openings. • Security leadership reported significant obstacles in implementing security projects due to: • Lack of staff expertise (34.5%) • Inadequate staffing (26.4%). • Given the above only 24% of enterprises have 24×7 monitoring in place using internal resources. www.hackerhalted.com 18
State Of Union: Summary • We are adding more and more complex technology. • We are handing the aforementioned technology to a population that doesn’t understand (or care in many cases) about security. • We are integrating it into our homes, offices, bodies, cars, lives… • We don’t have enough qualified people to manage the current list of issues, let alone what’s coming down the pipeline. • We don’t have the in-house technical knowhow to manage all the endpoints, systems and potential attack vectors. • We don’t (typically) have good eyes on our own environments… www.hackerhalted.com 19
In Addition: We still have to balance access needs vs. threats
How to breach YOU in 2 minutes Healthcare…
It said “Portal Login” that MUST mean it’s safe..
On average 75-85% success rate Despite a METRIC F**K TON of end user training…
A Metric What ?!? www.hackerhalted.com 25 • buttload * 10 = 1 butt ton • butt ton * 10 = 1 assload • assload * 10 = 1 asston • asston * 10 = 1 shitload • shitload * 10 = 1 shitton • shitton * 10 = 1 fuckload • fuckload * 10 = 1 fuckton • so to answer what IS a fuckton, it s = 103 shitloads = 107 buttloads
We are so F**KED
25 Years of InfoSec Conferences… • We still bitch and whine about passwords. • We still blame users, managers, developers, grandma’s AND the network… • We were safer with the mainframe ONLY because it was in ONE room. • We lost the battle when the data left the green-screen. • We lost the war when the laptop arrived.
…Shit’s still broken…who do we blame?
Introspective… • We are so focused on red teams and breaking things we forget WHY we are truly here. • Our charges who rely upon us to protect them are looking at us wondering WTF. • We keep blaming our charges AND we keep increasing complexities. • We spend more time building band aids than actually FIXING things.
We have failed absolutely spectacularly.
Dammit Red Sucks – A New Reality? • Red is the schoolyard bully that takes what they want, when they want. • What’s worse we are promoting it, building up as something to do, something to aspire to, something to build a career out of… • We have lost the core focus of what we should be doing, what our purpose is and what we really got into this industry for…
Protection
We Don’t Need Ninja’s Anymore
Why Blue Has To Win • We’ve helped built a multi-billion dollar industry on the misery of others. • We still find more issues that can’t be fixed, more systems that are broken and more ways to break whatever IS there. • We have neglected to actually DO anything to fix the problem aside from standing from our pulpits lecturing everyone on how wonderful we look in our ninja gear with our latest gadgets… • We have quite simply failed, ALL the data still gets taken ALL the time.
Really Blue HAS To Win… • There’s too much to fix, and too few teams actually fixing things. • The blue team folks are throwing up their hands as there’s too much to do in too little time with too few resources. • We still break more things and pump out more reactive software and hardware that does little to alleviate the situation.
Vendor Vultures… Security vendors preying on the dead and dying companies bleeding data. Above; fighting over product placement and insurance policies.
One Team One Fight • We need a better blue team playbook, we are putting one together…it came out of the last six months of work with the National Guard. • We need to coordinate and collaborate better between ALL of us AND we need more damm diversity in this industry. • Too many fragmented and fractured solutions that are not cohesively implemented.
IS this Death of the Red Team?
No! • Red IS needed: • Keep the vendors honest, test everything coming in… • HELP the development teams work through a secure SDLC. • The mentality OF the attacker to help the blue teams. • TRAIN the next generation of tools coming into our environments… • Mentor the next generation, again attacker mentality, defender stance. • Also! • Some still needs to keep annoying the FBI… • Someone needs to think outside of the box, BUT help with solutions.
Ok, yelling over, lets fix it!
Mentality reset!
Reset Part 1: • Security IS NOT an afterthought. • Build it in from the very start of a project! • Security IS NOT something to remember AFTER QA. • SDLC is not just a nice to have…make it a bloody priority. • Security IS a mindset. • Welcome to 2017 and beyond, the hackers OWN it. • Security IS the differentiator. • Your organizations actually might thank you! • Your customers WILL thank you! • Use it to your advantage in marketing.
Above All… Security IS all of our RESPONSIBILITY IF you don’t think so… guess who’s going to rip your new toys to pieces.
Reset Part 2: • Hold vendors responsible for delivering secure products ALL the time… • Integrators need to be held responsible for educating partners. • “Secure” is more than slamming product after product into the environment. • This years blinky light isn’t going to save you, last years didn’t save you. • Save your money, train the users, get a maturity model in place and use it!
Your Blinky Lights: Reality
Evolve Or Die • The industry AND InfoSec have to autonomously learn their environment. • Adapt, emulate and bloody camouflage the security tools! • Learning behaviors should be built in. • Anything we build has to be adaptive! • This IS a game of chess, why are we hampering ourselves? • Security HAS to evolve beyond the reactive stack • Preventative (please!) • Predictive! • Anything we build has to be intuitive… • PHD level installation instructions are BS! Thanks Packet Storm!
NOT Effective!
Passwords (Seriously!)… • Would be nice to NOT break into a company because defaults.. • Use biometrics, smartcards or two factor correctly please!. • Cost of remediation is 8x the cost of deployment; fix your passwords! • User education and awareness training AND Executive buy-in… • QUIT MAKING IT EASY! NO DEFAULTS! NO “Passw0rd!”
Summary: • As red team: • We don’t want more default passwords. • We don’t want hardcoded passwords/phrases. • We don’t need shared keys that are badly encrypted. • As blue team: • We don’t want more screens to look at. • We don’t need our users to find more insecure ways to work! • We want something intuitive. • We want help…not hindrance please. • Preferably we WANT collaborative purple teams!
Why here, why now? Let us take a peek into the future…
FinTech IoT ICS SMART V2V/V2X Nanotechnology
Greater than 65% of FinTech companies have NOT done the basic security testing.
More...before you hit the panic button!
Locomotives: What to do when you get banned from several airlines…
48 Hour Attack Period • Several willing and able researchers. • 200 foot of Cat5 cable. • Numerous devices to monitor over-the-air signals. • Couple of specific connector types. • Close proximity to a number of waysides… • Very close proximity to a rail yard. • Potential access to numerous locomotives. • A comprehensive set of lock bypass tools. • A few bottles of GOOD single malt. • Enough batteries to keep us happy. • Safety shoes (mustn’t forget those.) • No bloody orange/yellow vests. • A lot of OSINT and some HUMINT/SIGINT.
Where IS The Cargo? • ORBCOMM (Satellite or cellular on the move) • Thanks to some badly handled SQL queries we can track all your cargo. • TransCore (RFID in motion or in yard) • Once again the SQL issues bites back, now we can organize your cargo. • Softrail (railcars in the yard…where’s my stuff?) • Thankfully the software can be readily downloaded and reverse engineered to allow full access. • We can now built YOUR train to OUR specifications.
HACKED: Intermodal cargo in a rail yard, our tools building your railways…
GE Locomotives… GE & QNX…a marriage of vulnerabilities • Modern locomotive supplier • Not so modern outlook on security • Multiple attack vectors across the systems • Engine (ECU attack vectors) • Thermal protection sensors • Diagnostic data feeds • Cooling system attack options • GE LocoCAM I see what you see… Terminal into a GE train ID: GE PWD: 000000 (default)
Signals Hacked • GE Transportation Global Signaling • Passwords in the clear • Scrape out the necessary handshake… • Replay attack • Job done, now own Signals Thanks to OSINT we find file servers like this ALL over the Internet.. Pretty much each folder has both the instruction manuals AND the passwords (If they have been changed from default…)
MitM: Not Present Attack Scenario • Take the concept of a MitM (Man in the Middle) attack used across the InfoSec industry and apply it to signaling. • System: Leave lights green as OUR train comes into upcoming signal path. • Wayside/lights/crossing: Need to lower/drop/flash/validate (please.) • Attack: MitM “Sure” here’s the legitimate packets to cover to both ends… • Wayside/lights/crossing: Got it, go-ahead and pass friendly train… • Locomotive: Thanks too, OUR HACKED train passing through. • Wayside/lights/crossing: No problem, happy to oblige…
MitM Result:
Passengers Too… Amtrak wireless…’nuff said
Food: • How TO get the attention of the 92%
Pick A Country… Sorry UK  • Too many of them in Scotland, lost us the independence vote, therefore payback…your tea’s going to suffer. • How to find data, and how to do the research without breaking the target. • We focused on Fullwood and their suite of tools. • On the right is the suite of tools. • FULL herd management. • Heaps of data on the forums! • And….Windows 
Research! • OSINT, HUMINT, SIGINT Etc. • Google IS your friend. • Forums are your friend. • Nmap is your friend (as is Shodan!) • CVE Details will also help (useful to know what’s got issues.) • Our Deep/Darknet platform is a HUGE help here… • Your role is to be the analysts….this IS “Threat Intelligence.”
Research Over… Hack Time
Windows… What Could Possibly Go Wrong…
Milk Robots On WinXP/2K
Even The Livestock’s Connected… • RFID, Barcode systems, mixed with wireless technologies. • Wardriving cows, NFC and RFID embedded in tags. • Cows in the cloud…yea this is where it gets fun  • Pedometers for cows…nothing can go wrong here  • Proactive support that is cloud based…. (Afimilk.) • Basic security (minimal encryption etc.) 4 digit passcodes. • Feed, nutrient and cleaning (chemicals) monitored.
This Isn’t Going To End Well
Got Crops • All your Wheaties (and Cheerio’s) belong to me. • Controllers and other access points in the manufacturing systems cracked. • Monitoring systems reverse engineered. • Quality Controls hacked. • Product Inventory / Bar codes. • Time/Date stamps - high-speed inkjet printers. • All your farm animals are dead • Chicken heating/cooling monitors (sorry Thanksgiving.) • Pig and other automated feed systems. • Manipulate the feed and food mixing systems so animals get wrong foods. • All the drugs they are feeding the animals, we can manipulate the doses. • All your crops are failing • Hack the tractors revisited (getting Jesse back on point.) • Hack the chemicals, Round-Up’s vulnerabilities. • Hack the GMO (Sorry Monsanto…ish), all your crops ARE vulnerable. • Seed supply, kill the supply now you hit next years crops too.
Nanotechnology: Science fiction now becomes reality
Nanothings…
It’s all a matter of manipulating atoms No different than an assembly line Just a different scale.
Molecular Music (1997)
Educating Atoms - 2016 EPFL's Laboratory late 2016…
Code to Biology Hack In Action Want to hack E.coli? Here you go…
OK, So to this point we’ve: BUILT it, CODED it, Now we have to DEPLOY…
Science Fact Swimming nanobots: Direction, motion and other functions can be changed based on the application of either heat (laser) or electromagnetic pulses)
Science Fact Nanorobots being taught how to code (above, recognize the differences in chemicals)
Hack Something Dammit!
Our hexametric ring: six stations carrying different molecules: • We have our keys • Receptor-binding aptamer • We have our transport • siRNA • We have our bypass tools • Ribozyme • We have our report tools • Image Reporter • We have our payload • Drugs • And we have our decoys • Endosome disruptor
In English: • We took Bird Flu • We bound it to multiwall nanotubes • We fooled the body into thinking it was good • We have the propulsion system to move in the body • We have a tracking/tracing method for monitoring progress • We have decoys to deploy should the body go WTF • And we have a drug to deliver. • If we’re nice, we can deliver that drug to a cancer cell. • We can kill the cancer cell • If we’ve hacked the system we deliver it to a red blood cell. • We now kill you
Communications? $100 worth of gear and you can talk with those very same molecules
Nanoagriculture
We’re F**KED
Again…
OK, Panic now 
We plaster ourselves over this every damm day
All Your Data: • The Engine that we maintain brings in: • Excess of 150k “verified targets.” (IRC/FTP/HTTP/I2P/P2P) • 1 billion targets, forums, and malicious channels identified. • Over 250,000 live and usable credit cards. • Over 100,000 usable PHI records. • Over 150,000 live identities. • YOUR Information. • YOUR Identity. • YOUR Intellectual Property. • A Month…
US Nuclear Stuff in Iran ?!? Left, William States Lee III Power Plant drawings: Rights, folders taken from the PRIVATE side of the server at IAEA: Lower, spreadsheet containing names/addresses and primary military unit for the chaps guarding the Iranian nuclear systems, all on same server farm.
Remember YOUR Vendors? And your trusted partners And your suppliers And your integrators And remember that excuse “it’ll never happen to me”
Vendor Fail An oil/gas pipeline company, this is the contractors personal NAS with YOUR data….and his GF’s!
Ok, Wrap-Up!
This IS The Future Of Technology…
Future Thoughts • In 25 years do we still want to be talking about passwords? • Will we have moved onto the digital path of existence? • How will you help move the needle in security, what CHANGES? • Root causes, not band aids please. • Red IS needed, out of the box mentality HAS to find it’s place. • Bloody taser the vendor who states their blinky light fixes it all.
Red vs. Blue • You get the idea.. • There is a tsunami of tech coming our way. • There is more to do than we have bodies to do it. • Breaking most of this shit’s too easy. • Fixing it is WAY harder! • Hence…BLUE HAS TO WIN… • AND…Red has to HELP us.
“So long and thanks for all the fish” Douglas Adams, you are missed.

Empfohlen

Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipEC-Council
 
Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful ...
Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful ...Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful ...
Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful ...EC-Council
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyShawn Tuma
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mindcentralohioissa
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Latercentralohioissa
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...EC-Council
 
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE - ATT&CKcon
 

Empfohlen

Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipEC-Council
 
Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful ...
Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful ...Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful ...
Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful ...EC-Council
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyShawn Tuma
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mindcentralohioissa
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Latercentralohioissa
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...EC-Council
 
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE - ATT&CKcon
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
 
2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?Phil Agcaoili
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?centralohioissa
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down underRoger Hagedorn
 
Breach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsBreach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsPaul W. Taylor
 
Why is securing the Internet so hard
Why is securing the Internet so hardWhy is securing the Internet so hard
Why is securing the Internet so hardAPNIC
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementWilliam McBorrough
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseJason Luttrell, CISSP, CISM
 
Mind the gap
Mind the gapMind the gap
Mind the gapRoger Hagedorn
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Cultivating security in the small nonprofit
Cultivating security in the small nonprofitCultivating security in the small nonprofit
Cultivating security in the small nonprofitRoger Hagedorn
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Dan Michaluk
 
Running with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needsRunning with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needsMichael Scheidell
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourselfjkl0202
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Dan Michaluk
 
Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to EnterpriseArgyle Executive Forum
 
Cyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowCyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowSandra Fathi
 
Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Chris Roberts
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon usJonathan Sinclair
 

Weitere ähnliche Inhalte

Was ist angesagt?

How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
 
2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?Phil Agcaoili
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?centralohioissa
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down underRoger Hagedorn
 
Breach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsBreach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsPaul W. Taylor
 
Why is securing the Internet so hard
Why is securing the Internet so hardWhy is securing the Internet so hard
Why is securing the Internet so hardAPNIC
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementWilliam McBorrough
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseJason Luttrell, CISSP, CISM
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Cultivating security in the small nonprofit
Cultivating security in the small nonprofitCultivating security in the small nonprofit
Cultivating security in the small nonprofitRoger Hagedorn
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Dan Michaluk
 
Running with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needsRunning with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needsMichael Scheidell
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourselfjkl0202
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Dan Michaluk
 
Cyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowCyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowSandra Fathi
 

Was ist angesagt? (20)

How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down under
 
Breach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good GovernmentsBreach: When Bad Things Happen to Good Governments
Breach: When Bad Things Happen to Good Governments
 
Why is securing the Internet so hard
Why is securing the Internet so hardWhy is securing the Internet so hard
Why is securing the Internet so hard
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & Defense
 
Mind the gap
Mind the gapMind the gap
Mind the gap
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
 
Cultivating security in the small nonprofit
Cultivating security in the small nonprofitCultivating security in the small nonprofit
Cultivating security in the small nonprofit
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
 
Running with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needsRunning with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needs
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourself
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)
 
Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to Enterprise
 
Cyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowCyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to Know
 

Ähnlich wie Red vs. Blue Why we’ve been getting it wrong for 25 years

Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Chris Roberts
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon usJonathan Sinclair
 
Building an enterprise security knowledge graph to fuel better decisions, fas...
Building an enterprise security knowledge graph to fuel better decisions, fas...Building an enterprise security knowledge graph to fuel better decisions, fas...
Building an enterprise security knowledge graph to fuel better decisions, fas...Jon Hawes
 
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...Steve Werby
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
Killing the golden calf of coding - We are Developers keynote
Killing the golden calf of coding - We are Developers keynoteKilling the golden calf of coding - We are Developers keynote
Killing the golden calf of coding - We are Developers keynoteChristian Heilmann
 
Technology to Improve Your (Business) Life
Technology to Improve Your (Business) LifeTechnology to Improve Your (Business) Life
Technology to Improve Your (Business) LifeGarry Polmateer
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Peter ODell
 
Meaghan technology report
Meaghan technology reportMeaghan technology report
Meaghan technology reportMarq2014
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE - ATT&CKcon
 
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...ITCamp
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsAleksandr Yampolskiy
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-securityStephen Cobb
 
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...RedZone Technologies
 
Artificial Intelligence in InfoSec
Artificial Intelligence in InfoSecArtificial Intelligence in InfoSec
Artificial Intelligence in InfoSecChris Roberts
 
William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015CSO_Presentations
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsShannon Lietz
 

Ähnlich wie Red vs. Blue Why we’ve been getting it wrong for 25 years (20)

Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon us
 
Building an enterprise security knowledge graph to fuel better decisions, fas...
Building an enterprise security knowledge graph to fuel better decisions, fas...Building an enterprise security knowledge graph to fuel better decisions, fas...
Building an enterprise security knowledge graph to fuel better decisions, fas...
 
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
Killing the golden calf of coding - We are Developers keynote
Killing the golden calf of coding - We are Developers keynoteKilling the golden calf of coding - We are Developers keynote
Killing the golden calf of coding - We are Developers keynote
 
Technology to Improve Your (Business) Life
Technology to Improve Your (Business) LifeTechnology to Improve Your (Business) Life
Technology to Improve Your (Business) Life
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014
 
Meaghan technology report
Meaghan technology reportMeaghan technology report
Meaghan technology report
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
 
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy Steps
 
Bob Gourley
Bob GourleyBob Gourley
Bob Gourley
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
 
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
 
Artificial Intelligence in InfoSec
Artificial Intelligence in InfoSecArtificial Intelligence in InfoSec
Artificial Intelligence in InfoSec
 
William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 

Mehr von EC-Council

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldCyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldEC-Council
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approachEC-Council
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident ResponseEC-Council
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James EC-Council
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinHacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinEC-Council
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeEC-Council
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoData in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoEC-Council
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderEC-Council
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019EC-Council
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...EC-Council
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerAlexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerEC-Council
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementHacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementEC-Council
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...EC-Council
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...EC-Council
 
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...EC-Council
 

Mehr von EC-Council (20)

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldCyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approach
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinHacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoData in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerAlexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementHacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
 
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
 

Kürzlich hochgeladen

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Kürzlich hochgeladen (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

Red vs. Blue Why we’ve been getting it wrong for 25 years

  • 1. Red vs. Blue Why we’ve been getting it wrong for 25 years
  • 2. Agenda… • Intro (and thanks to EVERYONE here and the Hacker Halted crew!) • We have 105ish slides give or take a few…hold tight • Why are we here? • Red vs. Blue • And tanks… • Mentality reset! • Some solutions (hopefully.) • Why here, why now? • Some current research AND a glimpse into the crystal ball… www.hackerhalted.com 2
  • 3. Me… www.hackerhalted.com 3 • Working in InfoSec (now Cyber) industry for too many years... • Broke Nigeria, broke the ISS, the Mars Rover, airplanes, trains, etc. • Working at Acalvio, rather an awesome company! • Helping them build the next generation of deception platforms… • Why? Because Computer No.1 is already compromised… • Why? Because 25 years of chasing passwords hasn’t worked! • Currently breaking humans, AI, ML and consciousness computing… • Because the future’s not already scary enough  • Because we need a solution for the MOST annoying problem of all…
  • 4. We Don’t Do Death By PowerPoint… IF YOU see someone doing DBPPT You ARE obliged to taser them! Hacker Halted Rule 303.a
  • 5. Why are we here? Let us examine the humans we protect…
  • 6. Overall Statement The beauty of humans is that for all that we err, we also have an equal capacity to evolve. We (the humans) are both the problem AND the solution. www.hackerhalted.com 6
  • 7. Problem Statement… “HAVE” the capacity to evolve doesn’t mean we ARE evolving…
  • 8. By The Numbers… • 5.5 Billion connected people… (in 2020 ish.) • Take a standard bell curve mix for tech/human/intel etc. • 15% understand or “get” security. (At most!) • 70% sheeple. • 15% can’t even spell security or use 123456 as a password. • Globally that’s 825 Million people who “get” security. • USA has 4.4% of the global bodies, so our share is 36M people. • That 36 Million will represent about 9% of the US population. • So, now we know… 9% of the US population will understand security by 2020. www.hackerhalted.com 8
  • 13. Where ARE We Today? • 90% or greater of attacks against environments are undertaken using KNOWN exploits. • Most organizations do NOT have a well defined or integrated data security governance program. • 75% of the IoT manufacturers will not be able to address the security risks by 2020…
  • 14. And…The Remaining 9 Percent Of Us? www.hackerhalted.com 14
  • 15. Sobering Statistics • Estimated $2 Trillion per year to the economy by 2019: • Financial impacts (financial, technology, pharmaceutical.) • Data losses (intellectual property etc.) • Over 800 “major” breaches: • Major being the Really nasty ones…. • 171 Million peoples identities and records lost: • That’s just the ones we know about… • Millions of new malware programs “found” • Recycle a good idea and re-use it to target other data… • Let’s not forget the tools “lost” by our agencies… www.hackerhalted.com 15
  • 16. And… It Get’s Worse… • In the US, 55% of men and 69% of women said no teacher or career counselor ever mentioned the idea of a CyberSecurity career. • Globally, 57% of men and 66% of women said no teacher or career counselor ever mentioned the idea of a CyberSecurity career. • In the US, 51% have never received a formal CyberSecurity lesson. • Globally, 58% have never received a formal CyberSecurity lesson. www.hackerhalted.com 16
  • 17. No Worries, We’ve Got It Covered… www.hackerhalted.com 17
  • 18. A Little More Bad News… • The demand for the (CyberSecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million. (Michael Brown CEO Symantec) • Cisco Annual Security Report warned that the worldwide shortage of information security professionals is at 1 million openings. • Security leadership reported significant obstacles in implementing security projects due to: • Lack of staff expertise (34.5%) • Inadequate staffing (26.4%). • Given the above only 24% of enterprises have 24×7 monitoring in place using internal resources. www.hackerhalted.com 18
  • 19. State Of Union: Summary • We are adding more and more complex technology. • We are handing the aforementioned technology to a population that doesn’t understand (or care in many cases) about security. • We are integrating it into our homes, offices, bodies, cars, lives… • We don’t have enough qualified people to manage the current list of issues, let alone what’s coming down the pipeline. • We don’t have the in-house technical knowhow to manage all the endpoints, systems and potential attack vectors. • We don’t (typically) have good eyes on our own environments… www.hackerhalted.com 19
  • 20. In Addition: We still have to balance access needs vs. threats
  • 21. How to breach YOU in 2 minutes Healthcare…
  • 22.
  • 23. It said “Portal Login” that MUST mean it’s safe..
  • 24. On average 75-85% success rate Despite a METRIC F**K TON of end user training…
  • 25. A Metric What ?!? www.hackerhalted.com 25 • buttload * 10 = 1 butt ton • butt ton * 10 = 1 assload • assload * 10 = 1 asston • asston * 10 = 1 shitload • shitload * 10 = 1 shitton • shitton * 10 = 1 fuckload • fuckload * 10 = 1 fuckton • so to answer what IS a fuckton, it s = 103 shitloads = 107 buttloads
  • 26. We are so F**KED
  • 27. 25 Years of InfoSec Conferences… • We still bitch and whine about passwords. • We still blame users, managers, developers, grandma’s AND the network… • We were safer with the mainframe ONLY because it was in ONE room. • We lost the battle when the data left the green-screen. • We lost the war when the laptop arrived.
  • 29.
  • 30. Introspective… • We are so focused on red teams and breaking things we forget WHY we are truly here. • Our charges who rely upon us to protect them are looking at us wondering WTF. • We keep blaming our charges AND we keep increasing complexities. • We spend more time building band aids than actually FIXING things.
  • 31. We have failed absolutely spectacularly.
  • 32. Dammit Red Sucks – A New Reality? • Red is the schoolyard bully that takes what they want, when they want. • What’s worse we are promoting it, building up as something to do, something to aspire to, something to build a career out of… • We have lost the core focus of what we should be doing, what our purpose is and what we really got into this industry for…
  • 34. We Don’t Need Ninja’s Anymore
  • 35. Why Blue Has To Win • We’ve helped built a multi-billion dollar industry on the misery of others. • We still find more issues that can’t be fixed, more systems that are broken and more ways to break whatever IS there. • We have neglected to actually DO anything to fix the problem aside from standing from our pulpits lecturing everyone on how wonderful we look in our ninja gear with our latest gadgets… • We have quite simply failed, ALL the data still gets taken ALL the time.
  • 36. Really Blue HAS To Win… • There’s too much to fix, and too few teams actually fixing things. • The blue team folks are throwing up their hands as there’s too much to do in too little time with too few resources. • We still break more things and pump out more reactive software and hardware that does little to alleviate the situation.
  • 37. Vendor Vultures… Security vendors preying on the dead and dying companies bleeding data. Above; fighting over product placement and insurance policies.
  • 38. One Team One Fight • We need a better blue team playbook, we are putting one together…it came out of the last six months of work with the National Guard. • We need to coordinate and collaborate better between ALL of us AND we need more damm diversity in this industry. • Too many fragmented and fractured solutions that are not cohesively implemented.
  • 39. IS this Death of the Red Team?
  • 40. No! • Red IS needed: • Keep the vendors honest, test everything coming in… • HELP the development teams work through a secure SDLC. • The mentality OF the attacker to help the blue teams. • TRAIN the next generation of tools coming into our environments… • Mentor the next generation, again attacker mentality, defender stance. • Also! • Some still needs to keep annoying the FBI… • Someone needs to think outside of the box, BUT help with solutions.
  • 41. Ok, yelling over, lets fix it!
  • 43. Reset Part 1: • Security IS NOT an afterthought. • Build it in from the very start of a project! • Security IS NOT something to remember AFTER QA. • SDLC is not just a nice to have…make it a bloody priority. • Security IS a mindset. • Welcome to 2017 and beyond, the hackers OWN it. • Security IS the differentiator. • Your organizations actually might thank you! • Your customers WILL thank you! • Use it to your advantage in marketing.
  • 44. Above All… Security IS all of our RESPONSIBILITY IF you don’t think so… guess who’s going to rip your new toys to pieces.
  • 45. Reset Part 2: • Hold vendors responsible for delivering secure products ALL the time… • Integrators need to be held responsible for educating partners. • “Secure” is more than slamming product after product into the environment. • This years blinky light isn’t going to save you, last years didn’t save you. • Save your money, train the users, get a maturity model in place and use it!
  • 47. Evolve Or Die • The industry AND InfoSec have to autonomously learn their environment. • Adapt, emulate and bloody camouflage the security tools! • Learning behaviors should be built in. • Anything we build has to be adaptive! • This IS a game of chess, why are we hampering ourselves? • Security HAS to evolve beyond the reactive stack • Preventative (please!) • Predictive! • Anything we build has to be intuitive… • PHD level installation instructions are BS! Thanks Packet Storm!
  • 49. Passwords (Seriously!)… • Would be nice to NOT break into a company because defaults.. • Use biometrics, smartcards or two factor correctly please!. • Cost of remediation is 8x the cost of deployment; fix your passwords! • User education and awareness training AND Executive buy-in… • QUIT MAKING IT EASY! NO DEFAULTS! NO “Passw0rd!”
  • 50. Summary: • As red team: • We don’t want more default passwords. • We don’t want hardcoded passwords/phrases. • We don’t need shared keys that are badly encrypted. • As blue team: • We don’t want more screens to look at. • We don’t need our users to find more insecure ways to work! • We want something intuitive. • We want help…not hindrance please. • Preferably we WANT collaborative purple teams!
  • 51. Why here, why now? Let us take a peek into the future…
  • 53.
  • 54.
  • 55. Greater than 65% of FinTech companies have NOT done the basic security testing.
  • 56. More...before you hit the panic button!
  • 57. Locomotives: What to do when you get banned from several airlines…
  • 58. 48 Hour Attack Period • Several willing and able researchers. • 200 foot of Cat5 cable. • Numerous devices to monitor over-the-air signals. • Couple of specific connector types. • Close proximity to a number of waysides… • Very close proximity to a rail yard. • Potential access to numerous locomotives. • A comprehensive set of lock bypass tools. • A few bottles of GOOD single malt. • Enough batteries to keep us happy. • Safety shoes (mustn’t forget those.) • No bloody orange/yellow vests. • A lot of OSINT and some HUMINT/SIGINT.
  • 59. Where IS The Cargo? • ORBCOMM (Satellite or cellular on the move) • Thanks to some badly handled SQL queries we can track all your cargo. • TransCore (RFID in motion or in yard) • Once again the SQL issues bites back, now we can organize your cargo. • Softrail (railcars in the yard…where’s my stuff?) • Thankfully the software can be readily downloaded and reverse engineered to allow full access. • We can now built YOUR train to OUR specifications.
  • 60. HACKED: Intermodal cargo in a rail yard, our tools building your railways…
  • 61. GE Locomotives… GE & QNX…a marriage of vulnerabilities • Modern locomotive supplier • Not so modern outlook on security • Multiple attack vectors across the systems • Engine (ECU attack vectors) • Thermal protection sensors • Diagnostic data feeds • Cooling system attack options • GE LocoCAM I see what you see… Terminal into a GE train ID: GE PWD: 000000 (default)
  • 62. Signals Hacked • GE Transportation Global Signaling • Passwords in the clear • Scrape out the necessary handshake… • Replay attack • Job done, now own Signals Thanks to OSINT we find file servers like this ALL over the Internet.. Pretty much each folder has both the instruction manuals AND the passwords (If they have been changed from default…)
  • 63. MitM: Not Present Attack Scenario • Take the concept of a MitM (Man in the Middle) attack used across the InfoSec industry and apply it to signaling. • System: Leave lights green as OUR train comes into upcoming signal path. • Wayside/lights/crossing: Need to lower/drop/flash/validate (please.) • Attack: MitM “Sure” here’s the legitimate packets to cover to both ends… • Wayside/lights/crossing: Got it, go-ahead and pass friendly train… • Locomotive: Thanks too, OUR HACKED train passing through. • Wayside/lights/crossing: No problem, happy to oblige…
  • 66. Food: • How TO get the attention of the 92%
  • 67. Pick A Country… Sorry UK  • Too many of them in Scotland, lost us the independence vote, therefore payback…your tea’s going to suffer. • How to find data, and how to do the research without breaking the target. • We focused on Fullwood and their suite of tools. • On the right is the suite of tools. • FULL herd management. • Heaps of data on the forums! • And….Windows 
  • 68. Research! • OSINT, HUMINT, SIGINT Etc. • Google IS your friend. • Forums are your friend. • Nmap is your friend (as is Shodan!) • CVE Details will also help (useful to know what’s got issues.) • Our Deep/Darknet platform is a HUGE help here… • Your role is to be the analysts….this IS “Threat Intelligence.”
  • 71. Milk Robots On WinXP/2K
  • 72. Even The Livestock’s Connected… • RFID, Barcode systems, mixed with wireless technologies. • Wardriving cows, NFC and RFID embedded in tags. • Cows in the cloud…yea this is where it gets fun  • Pedometers for cows…nothing can go wrong here  • Proactive support that is cloud based…. (Afimilk.) • Basic security (minimal encryption etc.) 4 digit passcodes. • Feed, nutrient and cleaning (chemicals) monitored.
  • 73. This Isn’t Going To End Well
  • 74. Got Crops • All your Wheaties (and Cheerio’s) belong to me. • Controllers and other access points in the manufacturing systems cracked. • Monitoring systems reverse engineered. • Quality Controls hacked. • Product Inventory / Bar codes. • Time/Date stamps - high-speed inkjet printers. • All your farm animals are dead • Chicken heating/cooling monitors (sorry Thanksgiving.) • Pig and other automated feed systems. • Manipulate the feed and food mixing systems so animals get wrong foods. • All the drugs they are feeding the animals, we can manipulate the doses. • All your crops are failing • Hack the tractors revisited (getting Jesse back on point.) • Hack the chemicals, Round-Up’s vulnerabilities. • Hack the GMO (Sorry Monsanto…ish), all your crops ARE vulnerable. • Seed supply, kill the supply now you hit next years crops too.
  • 77. It’s all a matter of manipulating atoms No different than an assembly line Just a different scale.
  • 79. Educating Atoms - 2016 EPFL's Laboratory late 2016…
  • 80.
  • 81. Code to Biology Hack In Action Want to hack E.coli? Here you go…
  • 82. OK, So to this point we’ve: BUILT it, CODED it, Now we have to DEPLOY…
  • 83. Science Fact Swimming nanobots: Direction, motion and other functions can be changed based on the application of either heat (laser) or electromagnetic pulses)
  • 84. Science Fact Nanorobots being taught how to code (above, recognize the differences in chemicals)
  • 86. Our hexametric ring: six stations carrying different molecules: • We have our keys • Receptor-binding aptamer • We have our transport • siRNA • We have our bypass tools • Ribozyme • We have our report tools • Image Reporter • We have our payload • Drugs • And we have our decoys • Endosome disruptor
  • 87. In English: • We took Bird Flu • We bound it to multiwall nanotubes • We fooled the body into thinking it was good • We have the propulsion system to move in the body • We have a tracking/tracing method for monitoring progress • We have decoys to deploy should the body go WTF • And we have a drug to deliver. • If we’re nice, we can deliver that drug to a cancer cell. • We can kill the cancer cell • If we’ve hacked the system we deliver it to a red blood cell. • We now kill you
  • 88. Communications? $100 worth of gear and you can talk with those very same molecules
  • 90.
  • 94. We plaster ourselves over this every damm day
  • 95. All Your Data: • The Engine that we maintain brings in: • Excess of 150k “verified targets.” (IRC/FTP/HTTP/I2P/P2P) • 1 billion targets, forums, and malicious channels identified. • Over 250,000 live and usable credit cards. • Over 100,000 usable PHI records. • Over 150,000 live identities. • YOUR Information. • YOUR Identity. • YOUR Intellectual Property. • A Month…
  • 96. US Nuclear Stuff in Iran ?!? Left, William States Lee III Power Plant drawings: Rights, folders taken from the PRIVATE side of the server at IAEA: Lower, spreadsheet containing names/addresses and primary military unit for the chaps guarding the Iranian nuclear systems, all on same server farm.
  • 97. Remember YOUR Vendors? And your trusted partners And your suppliers And your integrators And remember that excuse “it’ll never happen to me”
  • 98. Vendor Fail An oil/gas pipeline company, this is the contractors personal NAS with YOUR data….and his GF’s!
  • 100. This IS The Future Of Technology…
  • 101. Future Thoughts • In 25 years do we still want to be talking about passwords? • Will we have moved onto the digital path of existence? • How will you help move the needle in security, what CHANGES? • Root causes, not band aids please. • Red IS needed, out of the box mentality HAS to find it’s place. • Bloody taser the vendor who states their blinky light fixes it all.
  • 102. Red vs. Blue • You get the idea.. • There is a tsunami of tech coming our way. • There is more to do than we have bodies to do it. • Breaking most of this shit’s too easy. • Fixing it is WAY harder! • Hence…BLUE HAS TO WIN… • AND…Red has to HELP us.
  • 103. “So long and thanks for all the fish” Douglas Adams, you are missed.

Hinweis der Redaktion

  1. IoT Devices….
  2. FinTech
  3. 80,000 on a human hair
  4. Left Cello code, then moving the code to the file, which then can manipulate the DNA sequencing which produces the code in a biological sequence that corresponds to “hack the specific protein/cell/type”