A Deep Dark Dive Into Security And Risk

hi everybody good afternoon and welcome you're here for a dive dive into security risk and what I said before it'll be Paul McKenna I would say that you know I could make you take risk and say yes stakeholders on Mars so Who am I I it was quite interesting when Connor Wilson just before me mentioned that you know one of the worst set you know devices in your home could be set to boxes I used to work in electronics and repair set-top boxes I'm as I sometimes say the poorest camp of Scotty cyber I've been everywhere don't quite a lot of staff in academia work from all major banks I inspired the crypto professor to

do crypto I worked with Jamie Graves who is now running zone folks and some most recent things I also helped to ensure the security of the core components of the arc recorder which is if you're interested in some distributed stuff so been there done that I don't have any t-shirts most of the companies only CableCards only thought I do understand the O'Day chart I do a lot of technical things I love talking about it but guess what not everybody likes talking about it and often things that we care about you know as a tech security forum I leave it behind somebody puts them somewhere on additional bit of the document so so what people actually care about is X

examine that will you left with so if you want to get something that's where you need to get it so just to make sure I'm going to be talking about some things that have happened in the past and if you recognize the company I'm talking about it's because you right there so don't share it's all gonna be fine so what is the problem today in security I into few talks today already I had some messages that was talking about breaches Facebook doesn't care those people don't care it just business doesn't care that much and how do we make them hair a little bit about so imagine you've got the pen test results are out now you've got the

recommendation you need to get a new piece of kit into your organization or somebody is going to take it over you you know you just get it into your mind if we found that piece of teeth it could be a flux capacitor by the way you did not wanna get out alive so what are you going to do how you gonna get it from your stakeholders are you going to do nothing you know add it to annual budget unlikely it's usually too small to actually run the costs for the year you can wait for a nice project to come along and ask them or you can still two-tone him from Lydians and sell it on

I often use that in the past I basically waited for a big enough project to come along whenever they would go into the transformation cycle eventually they would have hit one of the security gates and I would be like you know guys if you're not doing if you're not going to do that you can go ahead you can deliver your project the best I got out of it I actually managed to get a tactical sim installed for 1.2 million pounds in one of the bank's I'm quite glad in that but it's not things I'm proud of because at the same time I'm the blocker I'm a security guy saying guys you not gonna go past planning or you know they're

gonna get to the execution if you don't invest 1.2 million right now towards the end of your project I'm the bad guy I'm dead you know it feels bad and you can't really oversell so it would be nice if obviously stake holders will get us near that when we talk strategy no division what we want to do with the company but they don't do it often security is the thing that is at the back so and it I get few examples in the past as well so some stories I remember at one stage one of the stakeholders in the bank actually didn't come to us somebody just send us a little email saying guys that

area in the bank is doing something risky you know go inspect it and by the way when I take advantage in any bank I work in most of the vines in Scotland so when when somebody say that area is doing something risky we call and speak to them is like yeah don't worry it's we're not changing anything so basically when clients have problems to get online this phone has happened they want to get the statement or something or account balance we just say you know you could do it all online you can I take you through the process so they take all the security details on at all they asked people what password would you like the

tip it over that form doesn't matter the Crawleys get recorded and then they say to the customer you can use it now online banking so yeah I had a problem talking to the stakeholders and telling them guys there's something wrong about it so it turns out our common sense is not the common sense that the business stakeholder said how can we fix it if we don't have a common sense that maybe there is something else we've got in common so you know business like to talk about money customer satisfaction press releases and some other flash you know some nice pictures maybe feelings of people say sales pitches security on the other hand every cut some nice talk we

talk about secured by design as clearly injection password complexity great it's nice is I like that chat sky stand get it you know and then we've got some flat as well we've got my spy charts of our dashboards on our new scene actually has knobbly pie chart if you want to see those holida one thing we actually had in common is risk you know business guys talk about risk every day at least monthly they need to look at the finance and credit risk and they'll have also mandatory eristic plenty of ways to worry about so I learned a popping that language and we talked about this but when we talk about it we want to stop people taking

risks when they talk about risk they want to take risk that's how you make money in a business you don't make money by sitting at home and being wrapping yourself in a you know in a doobie and hoping everything gonna be good that's not how you make money as a business you go out there take a risk to be the first in the market or something else whatever your domain is and that's how you make money so how do we go about fixing there is a disconnect about how we talk it we even talking about the same thing but we do things in brain perspective a different perspective so where I want to tell you or take you today is how myself

a risk-averse person from a cave diver and relate it to a lot of things we do in security so we can imagine going diving is actually great sport for me I can't do meditation I just you know tried I failed that's my meditation you know like I can go there with a bunch of friends go under the water listen to myself breathing in and out looking to the world around these visitor there and relax nobody can call me nobody can talk to me anyway that is a good app okay down it's fine it's it's nice and relaxing sport but there are some risks especially if you can't escape that so actually this is quite a treat ix

visibility dive into it was quite a nice and relaxing experience Amy as well if you get Custer public already that's how I used to get there but I now enjoyed so what is it that we're not when most people see something like that careful risk us what security guys now say to the business like careful risk don't go there something bad can happen I see a nice repressed recreational area and that's that's what's behind that fence there is a huge quarry flooded nobody died before me and my body that's what if I'd nice quiet nobody's there anyway so how do we get people to see that at different side and because I'm now talking to the security proud

I'm taking this view that security maybe follow rather than the business and I think we can meet in the middle so first of all how risky is it you find out that if somebody's cave trained it's you know one out of three hundred thousand dives end up being a fatality or causing a fatality normal diving one out of two hundred thousand dives somebody dies if you run a marathon is one out of 100,000 to you guys if you run a marathon I salute you it's a risky business it is so don't think that K diabetes heart is not insulted you can join us and obviously driving is far more dangers and and the like the one that

they like in the bottom right is actually hard something at least wrong about these sharks people are scared of sharks but actually you're more likely to die of flu or stroke or cancer than I'm tiny risk of being bitten by a shark so think about it so if we get statistics wrong and if we get perception of the risk wrong in our heads is it that we only get it about other things maybe when we talk about work your man's better among three security guys and girls we cannot have to be better in each one so in 2019 what was the most likely I'll having malware and I don't want you to shout to raise

your hand or anything let's do it the mentally stylist into yourself one of those answers okay I hope some of you were surprised because that's the point of it most people are now talking about office there is it's fair of you know office Kyle palace carrying malware yes there may be a newer wave they are in the news but actually javascript files always carried malware and they still carry malware and they still majorly t of malware so maybe some other statistics you may have been involved in one of those ransomware incident how long will it last you've detected that also incidents of heart you've got a ransom on your screen how long it usually takes a company to recover again

think the answer to yourself you know you've got backups you've got everything how long it will take you to recover on average is seven point three days and it's usually cost the company about sixty four sixty five thousand dollars these are the stats from a company called cold where an extra body quite like their statistics and Pat one they've got they say that malware or ransomware got so bad indeed that now you've got ninety five chance of recovering your files if you pay them in the past I would never advise people to pay I sit on my bicycle to pay but 95 percent chance of recovering your files if you pay it's pretty good software okay so the

protection of risk is all over the place you know people are scared of terrorist attack but the risk is actually finding no as the on the bottom is actual reason pop is how people are worried about it everybody talks about you know terrorist attacks plane crashes actually you are more of a risk of you know if you're having a glass of wine a day that's more likely to be a cause of your death rather than the tolerance attack so here's another one for you have you heard in the last three months that most of the attacks on organizational most of the malware into the organization is carried by the email is coming to me no

thanks that's a start actually all over the place ninety pounds ninety percent of everything is carried by email no this was a Verizon stack the statistics about AP key had nothing to do with malware but people that sell ELT tools and other tools are now using it to advertise and saying come on get our tools everything is coming through email it still Remote Desktop Protocol that gets people will be surprised 2018-19 so tune your perception of risk know what's around you and then get back to you know white cave diving is not so dangerous you know we still haven't seen the data is it is it dangerous is not dangerous how did it got to that point and command

all had a nice thing is you know actually you really look at the data and you shouldn't get any theories about it so in 70s it was a very risky sport many people died actually no 35 people per year would die cave diving and then something happened science like that would be put up in Mexico and Florida to warn people about danger and also put trainings about and the reason was because somebody Dom accident analysis we found out that most people that died were actually it could be family so it could be just recreational divers the 70s just q-bag real good quite cheap so they all create go and dive they would start diving into a nice little

stream it's open water diving so you can surface anytime you want and get nice breath of air and then they would go a little bit in the caves because they right next to the streams that was the right came back on next week and I go a bit deeper Purple's like it's it's an easy in cave diving come on it's not scary at all it a bit deeper deeper every week and you know they'll get overconfident actually I died because of something they would get to the point where where as our businesses they would you know you speak to the business and say why should I do something that you tell me about I've been operating for the past

three years nothing has happened and it's the same kind of you know reactions so how was it keeps they it was a proper accident analysis done people started to care about the people our in a straining state of mind somebody going diving skills and learn from the mistakes every time you go into the cave but now you look at the den is like it's pretty much like any framework for trying to defend yourself this one is the oldest identified protect detect respond and recover if you've got a problem if you want to defend yourself against something going wrong you can use one of many methodologies but as long as you go and stick to it to define

so when you defend yourself try to work these phases identify what could go wrong for take years of against detect when something starts to go wrong respond in recover so what how does it translate to things but then do it to proper level well somebody may die at the end of it maybe the company is the company gotta die so what kills a crate diver out of those four other confidence that is most likely to kill them as I said before you know other people that type you will notice that that's a graph showing how many people had cave diving qualification hundred and forty three of them you can have any having qualifications the people that

actually bothered and done some training very pretty right not that many open died but I want you to go further whenever you're trying to say to somebody what's gonna happen what is the wrong thing that are going to happen to your company or a business or your colleagues at work or the customers I want you to go further and think know what's there you know obviously when we talk about loss of visibility that can cause an accident and tango meant yes I can die because of it after maybe half an hour but then panic the game but when I'm diving what's gonna kill me the lack of air or water in my lungs and the same

with the company they not gonna die because of a data breach and I've seen you've seen some examples this morning from from other people solving how many breaches Facebook went through and other organizations went through and they still alive define so what kills a company so you probably heard about it in 2007 17 masks one of the biggest shipment company actually the biggest shipping company in the world was hit by no petia and you know after that incident they had to attach about 4,000 servers 45,000 pcs had to be redone they've been done for ten days nothing operated so all those ships were out and see waiting to vote reports because they couldn't unload everything was on phase with the ships

they couldn't unload the cargo because the system wasn't telling people where to put the cargo the tracks would actually queue up outside the ports and block the major highways everybody was aware of they couldn't do anything about it so no but so what happened to masks we had some people today saying all the surprise may drop yes it will drop for a very short while it not going to drop for long nurse doesn't day the vertical line there is a day when the actual initiative is no Patea they're in similar time that they had in 2000 seeing they've got now between 2018-19 I don't see that much offense taking diet because of it mess will continue to

operate they will be fine but if you would say to mare skies you know you could save yourself 300 million by not connecting one of your machines to the network the machine will be using the software from the Train that's gonna get automatically passed by whoever know somebody you don't trust they'll probably say yes don't put that machine on a network maybe pay 400 pounds or 200 pounds to get it secured so talk about risk can breach analytical that wasn't a nice one as well they waiting at which they were the bridge we probably heard about them they actually if we look at breaks it or Donald Trump winning the election they probably had something to

do with it just because they manipulated people's mind in Facebook and other sources they died they've been outed last last year Channel Paul ran a documentary about them that company is no longer around not because of a breach no law but because they ran out of money they run out of money depending himself from the press and also their servers were taken by the IC also they couldn't operate if they would have more money he would continue to operate it was another element there as well companies like Trump which channel it can depend on somebody that he supplier like Facebook with data we cut them away from that supplier they're dependent so if you are a bank for example and you

have millions of customers and you don't have one single supplier that can take you down what happens if you blow the bridge no different a supervisor surprise may drop for five days they will cost you but not that much there was another case of rock you rock she was a brilliant one and I hope you actually know about them so if you give to any password cracking lectures or anything like that you may have heard about rocky they were the original password log I've got outed on the internet before 2009 everybody thought that people were quite clever with their passwords they actually had proper random passports but you know one hacker with a clue minimum is is is I he he was able

to execute an SQL injection on their website and be able to get all the password data from the website and what was nice he kind of made it public that you know rocky is not safe so we rock you said all week now patch our systems everything inspiring people don't panic but they they weren't honest with people so you know the attacker can default you know they need to do something about it so we thought what best you can do he actually took 32 million passwords and add them to the internet with no username so the security industry learn a lot from it they actually if you know about people using password one two three four or something is because of

that breach they were the first one that got beat and what what happened to them that happened 2009 2010 they were still operating they like had to fire about half of their staff but up until I think last month they were still operating taking died that organization did not die so if you're going and saying to your stakeholders come on if you don't patch the system they're going to be huge massive data breach and your top even as with all your customers that's probably not exactly true you need to be specific if you are telling your people that and you need to know what your company is dependent on so rock in the game they were depending on Facebook

Facebook could hand down the top and MySpace they could turn down the top any time and that's what happened that's why they actually had to hire a couple named Stan so what gives companies do not pass their order to close reading bad press or a breach but it's different for everybody we need to understand the business you're helping don't just tell them it's a bridge what's gonna kill you this means you don't understand the business we don't understand the risk it means you don't know how the people you work and will make money okay so identify know your business what does it need to survive and then protect yourself you know in cave diving we we know you can I have to

having two bottles of air if if any no I can easily die because I ran off out of air I can only keep my breath for 30 seconds I sent inspired myself shot another in into a deep mind now how do I get out alive if something happens I need to have a backup so we always carry two bottles of air into two separate regulators if we need to separate the bottles we've got the 9-volt at the back which we can just turn down shut down and had two distinct systems if I go to a type okay I've got another system where I keep the bottles on the side I can take them both off put them in front

of me and be okay I'm never going to be seen to go past many obstacles but still a slim as I can get to an obstacle and sometimes the best kit you can get is not a diving Keith I think that's a lifesaver one of the minds we explore we need to walk about quarter of a mile so I think that's the best kit we ever bought in the or bike or port that gets us to the place and don't get to the place out of breath but what I want you to think about is you know when you trying to protect yourself and now you know what can kill you get the right tools for the job

and surely you know that at least one or two stories of what people buy when they even money or when they told that something needs to be changed one of them you know I remember an organization that was told you need to get correlation between password checkouts and what is a privilege activity and they went through looking to few different seen tools and at the end of it they come out with two and that was ages ago was about eight ten years ago they come out with curators plan problem his plan was it didn't have a security label back in the day and also the sales guy from the states didn't want to travel to UK because it's a smash a

small island you know it was a small market for them curator should not do correlation at all but the salesgirl yeah they were happy to travel it's free travel come on is a eight hours in they can help you to that organization obviously the time that was a bank they went for curator and that's where I brought my first score or checked my first correlation rules in peril outside of the symptom because the only way you could do correlation was to take the logs out of the symbol for the night when two different patches compare them in parallel put it back into the seam tool and see the exceptions the next morning and you think to yourself how

much money doesn't waste every day how much life you're wasting because you got the wrong tool for a job and your security if you get something the wrong be brave enough to say that or think about the strategy how you're going to get better so things like that I'm sure you've got plenty of those horror stories from your organization's I work with you before and I know few of those horror stories so get the right tools for the job and then we took detect that something is getting wrong you know so if you think about diving accident actually diving at it then often starts at home all on the journey to your dive site it

does not start even down in the cave it starts with maybe your mindset maybe something happened on the way maybe it's just not your day one of the cases there was a guy who was on the boat in Scots law one of the beautiful areas up in Scotland and you know he had a little fall on the board obviously we've got like 40 kilos of equipment on our backs so he got up shake himself is like it's a patient to the skipper and Pines keeper and skipper thought she looks all right let him dive he went died down he was planning a deep dive 260 metres he never surfaced and it was because of that little ball that he had exactly

happened to his arm he couldn't operate things that he should be able to operate and actually skipper would go to jail if not for the fact he did not organize the trip he was just helping some buddies go on the boat so think about rally detect those little signals telling me that something may go wrong and how do you filter them that you also don't waste time and look at too much noise Tesco bank was an interesting case in 2016 I'm sure that we've heard about them they're spent on banks like them as well so they're not my target in here but if you think about them they had a breach they somebody worked out how to

do the silly vehicles on their cards and you know they only lost two points two million pounds in fraud at that bridge so they could compensate all the clients but obviously that was pretty pretty uncomfortable situations for the client to find out they'd be losing money and somebody being deterred in their accounts so actually they've been fined sixteen million pounds for that event and when you read the accident analysis it turns out that the fraud guys knew on Friday evening that something is going wrong and they keep emailing that little inbox saying we think something is going wrong you should look into it second line please look into it and guess what second line was a way for the weekend

take in check the email somebody did not check the process and for 21 hours nobody actually started responding to the event just 21 hours before somebody done a change to prevent a fraud from the time they actually detected and I'm sure that they've detected at these few hours you know more after the fraud started happening so get those signals early teach people to be open and honest in diving if I could apart feeling that about today you know I make a driven 300 miles I'll make it paid if you have the powers to get onto a boat but if I say guys I'm not diving today nobody gonna question and the same in your organization if somebody sticks their

hands up and say guys think something's wrong here go investigate check it and if it's nothing to beat and tell them okay good thank you for telling us this is not big because of that that and Dad so next time you call something like that think about those things if you think you're still worried come back to us so get those everyone so don't ignore the little things and then how do you train to respond in dieting on the left-hand side that's how you learn to scuba dive and do your mass clearing you're on the bottom of the pool got two hands on your mask and you're trying to blow in the mask to actually

get the F the water out of your mask when you take diving on the left-hand side we need to think about things you've got a helmet you've got a line if you lose the line and you can see you're not going to know which way to go where it's out of the cave so you need to grab it you need to get the mask out with your wife and swap it for another one because your mask is obviously broken and and you turn and you are suspended in water you can't run on the bottom because the seal just gonna cover things so think about how we train when we do Tyburn stance all you desktop best

exercises we go and meet people and they talk how well they're prepared they we told them about that exercise amount I've had so obviously they don't they homework but at least they've Secretary done their homework and they've got all the documents ready for the desktop exercise one nice things that I i I've seen before one of the consultants I worked with before his way of checking whether component can pick itself up and whether the crisis team is up to his scratch he waits for a planned fire drill and after the pilot will teach up shut up some soldiers of the crisis management even say ok guys andhere's that's you whatever you brought with you we're taking a cue after and you now

recopied the company it's much harder to do it and then that reminds me another client that when I went there and done an inspection whether they actually prepared for any kind of physical crisis they say don't worry about it every one of our employees has a laptop if something happens they can take those laptops home we check we've got enough licenses for them to connect remotely they can do everything remotely ok so we turn up a dog is at 6 a.m. the next morning what did we find laptops every single desk how are you going to recover from a burning building if your workstations and how people connect remotely to your work are on desks and people don't have

them it's not a strategy so train as it is real life have fun talking about it are you capable of responding 24/7 trust add to one stage last year I learned I'm not I went to Gaza to do my you know one of my tape training septum few now and on the first day of the course I had my mask pulled off me and that's the first time I think I felt like I may actually die doing I felt like I'm being waterboarded so that the thing about trying to clear your mask especially when somebody pulled off is that yeah you can had water getting into your nose and stuff like that if you had been on a

flight the previous night you only got to your hotel at 3 a.m. in the morning and européenne all are all born in trainings other things didn't have lunch and then you end up in water and in a risky scenario I actually had to stop that exercise and say guys no that's me today or for this one put my start back on but I was down on the bottom of the cave and just say not no more today and if you think about your responders you know after I read some LinkedIn statuses and is like all guys it's so hard being a security guys we've been here or 5:00 a.m. or maybe 6 applaud it's so late and

we're still working and that's when you're not being attacked and you telling the word u.s. security board somewhere out there wherever you are and you're not hurt on a normal day do an easy target just somebody knocks you off a little bit you don't have any strength to defend yourself a normal shock analyst can have a analyze something for about 5 to 6 hours there were studies done Matt after that they either need to go home get their pizza I've had a walk or something like that so you are not able to be ready 24/7 prepare your team's for it an average person works 40 hours a week Katie our team is organized around it

okay yeah free time supplies timelines lives timelines and statistics we talk about statistics before so when you trying to recover for magnitude and when you're trying to do anything try to get the right benchmarks I've been to so many clients that say all we lose we look at industry data the industry data is telling us that and we also talk to other people and they told us that something like that is happening in their environments and then I go to the man cave so what is happening in your company where is your data where is your attack data where is the data that tells me how many times you can breach how many records you lost how many much

money your company lost at the back of it it doesn't matter that you lost you know maybe hundred records if you lost hundred records in 2018 I want to know what was the impact on that organization I want to know what you've done with that whether you learn anything but keep it as a data point somewhere and so many people try to look outside the resolution at least half of the world is inside your own organizations analyzing what you got so to summarize all that these are the points that I covered it would be far too easy that I just left it at that you know it's yeah analyze the problems you've got think how your company can

die and get start from there but that's easy said how do we go about it some lessons are quite old to be honest on the left one of the best cave diving groups ever Britain was beaten with 70s 40 years ago feel as bad as them on the right a book that was written in or release in 1936 and if you're a consultant I advise you read I've been told about this book eleven years ago I had not read it I thought oh it's about cheating people no it's not about cheating people it's about how to be nice and understand other people's perspectives and get to understand them and help them so if you try to help somebody with a security

guide consulting speaking to people I will read it for the right reason just because you want to understand other people and the way they see the world so and also we don't defensive side we are not attacking anybody we not a business trying to do something the reason that myth that you need a strong leader everywhere you need strong leader to take you to the moon let's say you need strong leader to be on the offensive side to attack some money only defensive side as I said before one person can only cover you for 40 hours a week we want a strong team of people helping each other talking to each other if you've got risks function near company

that audit function your company and your security person don't go to the business without speaking with those guys if you go to the business and say we need to do that the risk person sells non-oil you surely can't do that and the audit has a third perspective and you expect the business to be the responsible adult even that they don't have a clue about security you're doing it wrong go and speak to everybody you can and go and build a herd you know the team of people that like to have fun but actually like to do something interesting

[Music]

we need to get better and better so in here it's me with a blindfold trying to get myself out of a cave I didn't know I get lost I need to find the positions I aim I can't just try to navigate it and wing it because I'm a believer in a cave so I need to ignore position I mean so you practice harder and harder every time you do something and you know at this time I was going to tell you about the final exercise I've been doing these two people are applying for they're trying to get out of the cave because we simulate zero is that maybe there I'm now running out of air I mean the head

means I don't have any more air we need to find to get air from that guy and get out I was going to say that if you practice I'd let the crowd of people like minded and that's why we have fun with them insecurity in other things you can do amazing stuff life actually is better than that me planning it do you remember the typo is getting stuck in a cave last year there's 12 typos in the code called stuck in the head and one one guy that came to the rescue was false those drawers Bradley and that guy last week last Tuesday never returned from the I was with the bodies exploring some new caves they

came out he wasn't there we called 9-1-1 the cave rescue team came bound his bodies couldn't get him they were exhausted they didn't have air they were and sitting up to go back in the cold night one man and waited for them to arrive 24 hours later those guys you know are extracting the papers cooking saying you know we know Josh if he got into troubles he would try to get to the safest place is in thyroid 24 hours in a cave there is a place where he could potentially have survived for 24 hours but it's through some narrow and dangerous passage and you know the rescuers went into the cave at six eight six o'clock in the afternoon 50 minutes

later that guy came out himself they just kept in there he came out and just asked for pizza and thank everybody involved next day he was back in the cave and it's because he practiced these 10,000 hours and harder than hard and hard and environments he wasn't easy on himself and he was having fun while he was doing it it's not about being tough on yourself if you're not having fun what you're doing change jobs I really advise it find the place where you enjoy what you're doing so get out to some ground things daily you will that came strong but you can help you recover from them that things that are interesting and build ahead and

remember it's not about a leader when you depend about building a strong team that biggest top of the leader is to find the right people for the team so thanks very much now started an initiative called cyber escapes together I haven't started I'm not helping some guys doing that they started it I think is a great initiative we couldn't go with that forward it's called cyber escapes we will get like-minded people together to have some fun explosive to it'll melt people sides not just pen test not just crypto but also some analyzing of data and actually speaking to people as well you want to link in with me speaking of petaca that's my name proper

name call me ZB and that's my Twitter handle so that's me thanks very much