The Definition Of Madness - Ian Davies

I got afternoon everybody and so as as it was introduced my name is Ian I'm probably not what most of you would expect to see on the road track I'm probably the oldest person from the roof you trap I am a rookie as far as InfoSec is concerned I started looking intersect last year and I took my first paid position in February so I'm a rookie in perhaps a different way I no matter what the definition of madness it's a phrase often attributed to Albert Einstein it's there's no direct evidence that he ever said those words but the sentiment of it in my experience over the last 12 months is quite key for InfoSec before we get

started to deeply a little bit about me I worked on my first computer in 1980 I worked on my first industrial control system in 1987 and I took my first IT qualifications in 1989 and looking around the room probably some of you weren't even around then so that's the first computer I ever worked on hands up if anybody else's there's a few of it that was the first industrial system I ever went I was an Argus 4,500 it was originally built as an industrial control system but the one that I used was adapted with a choral 66 compiler and we used it for a private military messaging system I've spent 10 years in the RAF I've worked in education both as

a lecturer and as an IT technician or network manager I've worked in small business one building 30 users and I currently work for a builders merchant group with about 700 branches across four countries in Europe last year we identified maybe earlier than last year but we identified that we've got no operational security we had a guy that sat in the corner doing policy but we really didn't have anybody doing any operational security any real kind of proactive security and so they sent me a way to do a course the course they chose was this one it was C eh now there you go you see that's exactly the reaction not quite quite from so many people as I expected it but

that was the erection I got everywhere but it's not that bad I had never I was really excited to go I really really enjoyed the course content I came home full of enthusiasm to learn more but what happened when I came back was that I got exactly that reaction everybody shaped their habits people ignored me people when I tried to reach out to people I I work in builders merchants this you know there's no other security people there the only way that I could communicate with people was through social media whether that was Twitter or LinkedIn or Facebook or wherever it was but when I reached out to people the many I mentioned see eh I

was cut off some you know he started to put me down or they started to put the qualification down they told me that I had wasted my time on wasted my money pretty much I was offered very little help and guidance at all because of the qualification that I'd done on that qualification though I learnt what data our systems leak I learn how we can use open source intelligence to go and find exploits based on that data how we can then exploit those using Metasploit and other tools that are freely available on the web with tutorials I saw examples of privilege escalation of lateral movement and although it was on an unpatched XP VM I delivered my

first payloads had never ever done that now bear in mind that I've worked on my first computer in 1987 nobody had ever shown me that before nobody have ever explained any of this to me in detail before I came home as I said really excited for the first time in 30 or more years I'd found a subject that I really wanted to kind of grasp hold off and work through and when I got home and I started to reach out pretty much that's why I'm not told osep offensive security certified professional I guess it's the pinnacle of penetration testing or ethical hacking or offensive security it's it's as its as far apart as it could possibly

be really you know it wasn't helpful ceh was a beginner qualification done by a beginner who is now reaching out for more help hey can you stand up for a minute sorry I'm making him work I practiced this talk I could move about and I can't move about so if that's osep and I'm ceh how do I get from here to there don't go all the way around the wing do it just go straight there in a straight line what's the journey that I've got to take to get from here to there don't quit telling me I've got to get there if you're not going to help me get there that was what I found thanks Kai

I I struggled for some time after I'd done that qualification I struggled with impostor syndrome I started to question whether I was a bit of a fraud I mean I've been doing this for 30 years 30 plus years how would I got all of that time without knowing any of this stuff and I started to ask friends and colleagues I started to ask members of my IT team what other developers some of the money service providers that I went to work with in my new role and actually I found that most of them had very very very little understanding of how breaches occurred or how vulnerabilities are exploited and that everything you need to do it is

freely available on the web you don't need to be able to do anything clever that's not entirely true but you can get started really simply and really easily and if you can find something on show Dan you can start firing exploits at RDP and we're gonna see that and the next few weeks on me I wasn't alone and that was quite key for me that I I found out wasn't alone this was an interesting tweet that a lady in the state spa where she'd been told she wasn't cut out for InfoSec because she wanted to study with other people she didn't want to do it on her own I'm malicious I don't know if she

actually made it into the room but malicious put this up and it hit home to me because I used to work in education that I elected an Fe and I worked in education both as a IT technician and a school governor and it was all about learning we we were about professional development as well as about teaching students at every Thursday morning for 48 weeks of the year for five years we went into a staff room and somebody within the teaching staff or the support staff did a short presentation on some best practice or something that they'd found that worked well so I got 48 24 hours a year of free training of free professional development because we did

that was the culture within education it seemed really strange to me that we don't have that culture here and that's a newcomer that comes along that's just our ting out gets told that he's got to go and do a qualification that's so far out of its reach because that's the only way you'll ever be taken seriously Melissa's been here we need to move from try harder try harder has its place but try harder shouldn't be the sole method we learn InfoSec we shouldn't be telling everybody who comes in that they've got to go and do that learning on their own if we're not sharing this information with each other how on earth do we expect our our helpdesk operators our

developers our sysadmin to learn about security you know how many of them don't know about reconnaissance and enumeration and assessment and exploit I'll tell you how many a large proportion of them I now in my new role go out and meet all of the people that we acquire we're a business built on acquisition and I go out and I meet all of these small businesses all of their IT is out sourced and I go and meet their commercial staff and I go and meet their local IT support companies and all of these managed service providers all every single one I've met so that sounds like a lot doesn't it I've met four but the four that I've met have absolutely

no idea about this stuff now when I say to them why have you done that their answer is well because they asked us to they never challenged it it's but they don't challenge it because they don't understand they're doing something dangerous we need to change the approach I think we need to change the approach era it's my opinion that we need to change the approach we need to get away from the gatekeepers we need to get away from this try harder approach I'd like to do an OS CP then you can try harder and people say it's not possible but it is possible to change attitudes it is possible to change the way we approach

things in 1980 when I started working in computers drinking the driving was a bit of a macho challenge we'd go down the pub with other load of drink we'd drive home and then we go down the pub the next night and brag about how many pints we had before we drove home and wearing seatbelts there were cars that didn't even have seatbelts in them speeding was never talked about well it wasn't because it was taboo or anything I was just never talked about we just speed wasn't something that was in the conscious mind now thirty years later we you would I hope you wouldn't think of drink-driving it certainly got a different term it certainly got a different attitude to

drink driving and it's frowned upon if you if you do it wearing seatbelts now a second nature it doesn't matter where you get into a car you put the seatbelt on I got into a London cab last week when I was down here you sit in the back of the cab and you put a seatbelt on I'm speeding it's quite interesting because it's become the new drink driving not even more than two or three years ago really you might have heard somebody say oh I've got a speeding ticket on that flipping camera down the road and the answer would have been the speed cameras they're painting the backside the worst they dangerous they don't do any good

now I've heard those conversations but they've been turned on the head because now people say I've got flipping take it off that speed camera down the road and everybody says well if you went to feeding you want alot ticket so attitudes do change and can be changed

what's going on it's frozen

there we go anyway so away from driving back to InfoSec we do need to change attitudes last year's Court fundamentally changed my understanding an approach to security and IT I went from delivery being a team manager delivering infrastructure not really understanding what I was doing to now being the the operational active security person building a security team building a security culture but InfoSec is a journey all journeys have all journeys have a beginning there are many destinations there are many routes to many different destinations if I'm trying to get to Kai I can go around the room I'll go up the middle of the room around the back I can go directly there I could just climb

over all of you just for the fun of it we don't we don't one thing doesn't fit everything one way of learning doesn't fit everything and people don't know what they don't know how can you try harder when you don't know what you're supposed to be trying I presented this talk to my lovely mentor who probably bribed you always sweets to come in out at night and he said it's fine having a rant but what you're going to do about it and I didn't really know but it was an interesting challenge so I'm here today because I I listened to a podcast and a lady called Rachel Toback issued a challenge she said don't wait until

you're ready you if you wait until you ready you'll never be ready if you want to do something go and do it so indent I submitted my CFP and I'm here today because of that challenge so I'm obviously somebody who can't resist a challenge and when Kai tells me about what I was going to do about it I didn't really know so this is my first step my first attempt to I think we might be able to do and actually [Music] I'd like to build a new a new community for beginners a community where it's safe to ask questions where no question is silly you won't be told to try harder you might be told to try Google but you

won't be told to try harder the only thing that I didn't have chance to do is change the Twitter handle because I set this up about two or three weeks ago when we were doing it and Twitter in their lovely way have removed the account won't let me into it so the Twitter handle now is infoset and you come one the RS has disappeared off the end of it and I didn't have chance to change the slide there is a slack channel I'm called learning sharing securing it it's by invite only at the minute because I'm excited to do it any other way but if you joined me on Twitter or you email me at that address or you can contact Kai

I'm sure he's also in there and we would love to have you join us and we'd love you to invite other people to come and join us because we can't do it unless we all do it together and although I've ranted about how little help there was I've had an amazing amount of help from the B sides team and from my mentor and it's been a fantastic day here this is my first ever conference and I'm doing my first CFP I've been my first talk at my first ever conference and I've had an amazing amount of support at that but he took a long time to get there I could have done well that support twelve

months ago and that is it really if we don't change what we're doing are we going to see different results

so we really don't have time for questions but I'm going to exert MC privilege how many of you have taken the ceh class okay how many of you actually got the CH certification how many of you got OCP osep sorry does that make it feel better lots of people take the class they learn to learn that use the tools and no one goes for our SCP no the point I think I was trying to make is that's what the gatekeepers are saying that's the first point that's that's what you hit when you first start but but no one does that has done that absolutely are very few people have done that with that I'd like

to say thank you very much wonderful presentation