Hacking up the Chain: Stories & Tips for Communication to Bosses, VPs, and C's

[Music]

so I want to talk about one of those things that doesn't get talked and talked to about a lot at a lot of security conferences and that is talking my background is basic network routes which then I got into healthcare that I got in hacking and now I do cloud stuff and I I talk a lot you know you've seen me talking a lot already but talking hacker talking tech doesn't translate well to talking business very often so in true be signs and hacker conference style I'm going to tell you about some of the ways I have utterly failed so that you can learn from that and do better as you work on your careers as you work on helping

clients or maybe your own company so that you can be better than I have ever been and do much cooler stuff and touch a day I will never see so this is how we talk who here has not said that phrase come on pull in the noobs I have had to explain the three-letter pone to so many people like that's not funny why did you say that why are you using that phrase this is not how normal people think one of the best compliments I ever got back in my hospital career was the risk management lady saying you think like a criminal she wasn't meaning it as a compliment but I took it as one because I knew that

hacking and that was what I wanted to get into what we really want to remember is that nobody cares that we can ponemos noobs nobody cares that we got da nobody cares that you did the cool elite zero day hack nobody on the business side has any idea what that means and so it doesn't matter just like who here loves hearing profit-and-loss statements who here likes to hear about hiring strategies markets attack planning and estimates of potential client success yeah those are really boring phrases I've had to learn in the last six weeks because I'm writing business plans now that was not a career goal when I got started so what I want to bring to you

is the idea that yes we have to do we have to do what we do we have to attack we have to cause these issues to come to light but we need to make sure that we're communicating it in a way that people believe it and yes Ernie this is a jab at you and you're not even looking at me and I'm hurting that's okay because you're the one that said oh sorry we're Star Trek they're both the same no no so a little bit about me again I resent I started in tech I got into HIPAA I literally went to so many meetings that my name was on the forms for all the HIPAA stuff and I realized

that meant especially in 2009 when high tech came out did you was my butt on the line and like oh I better learn how these hackers think it took a great class by a great company based out of st. Louis that also put on a great conference and I started learning basically how easy this was the hacking stuff it really shouldn't have been so I got burned out dealing with clients and I transitioned into like scene work and doing business planning and cloud stuff so I've done a lot I can tell a lot of really weird stories they're best served over beers so hit me up later and then I can talk when I'm not a video and I have

even better stories but there are some stories I can share with you of my utter and complete failures and this is probably my favorite one who here this is your first b-sides yes like two-thirds of the room who here went to b-sides Kansas City a couple months ago who was in my talk for that you've heard this story but I'm gonna tell it did a little different and I'm sorry for those be sites Casey people but this is literally my very favorite story early in my pentesting career again I was a network routes which guy so I didn't know web at Penn testing very well I learned you start burp suite and you watch the traffic and if there's

little blue parts you can manipulate those numbers and sometimes very very rarely that means you can cause problems on the website so we got handed a contract and it was a web app it was a cloud infrastructure as a service company and they were like just put it all in our cloud we will take care of everything for you it's a hundred percent uptime guaranteed it's cure it's awesome and they already had clients in it and then they went we really ought to get it tested so you know the stories where it's going right I took a look at it and you know okay yeah web cloud the thing it took them a while to set up and

provision my access I'd start up burp suite and I get to my my servers and I'm like wait a second little blue squiggly line here says customer ID equals 20 huh wonder what happens when I put in 1 or 0 I can't remember which one it was I had access to their entire cloud infrastructure by changing one parameter in a burp suite request those of you who are doing the CTF right now over in the other room that's like the second question is how to do that so I literally run screaming from my desk to my boss Dave you won't believe what I just did he tells the story even funnier because he makes my voice sound higher

but I did little girl screaming absolutely little boy whichever way you want to go with it and he verify it yup we can take over the whole cloud so we make a new user new admin for the cloud Hal Jordan and then he made me make a han Solo because he didn't want to use Hal Jordan and and we call up the client were like guys this is bad this is really really really really really bad client says well let's get the engineers the let's get everybody its stakeholders in the room let's go to the big boardroom at this place at this time okay at that point I have been in on very few boardroom talks so I had to put on my oh

we're going to the clients suit of a polo and slacks instead of green lantern shirt and jeans and we go in and Dave's like well explain what you found and I did the verbal equivalent of pointing at a dumpster fire sign and the developer says so what and we're all going watch I can burn down your infrastructure I can create users named Hal Jordan and my boss was like you should be ashamed of that I can do anything to your environment that I want to but that didn't matter to the developer that didn't even matter to the c-level I explained it in hacker terms I got da I got your cloud I got your admin I got everything and they're like

okay so my boss at the time had to translate into business okay so all your clients we can delete all their data so they leave all your uptime guarantees that you're gonna pay out on if you're not up yeah we can make you pay out and take you down all your various numbers that you're tracking on what you do and how successful you are that whole profit and loss statement we can tank now sadly unfortunately the business owner was not that good at business owner thing so he still was saying so and this eventually became a court case and that's why I can talk about story it's a matter of public record so yeah I gave them good info

from my frame of reference but I didn't give them good business info I didn't make it make sense to where it hurt them and I've especially learned since then to make it so that non-techies can grok which is a so techie word so don't use that one with business people either half the time it's got to be in monetary form if you can't explain how what you did causes profits thinking shut your mouth just don't even bother let somebody else do that talking the problem is who here wants to do that kind of talking exactly no hands went up nobody really wants to jump that I'm a cool hacker too I'm a business leader that can talk about spreadsheets of MBA

but we would probably have a way better impact on the world if we did so I've bitten the bullet and I'm probably gonna be learning a lot of that stuff maybe have mercy on my soul so yeah some other things and some bad ways that I've communicated have you ever been in the shop where where this is what gets thrown around in slack before there was slack where everybody's just like I hate my job I hate Monday through Friday not just Monday I hate being on call I hate dealing users I hate dealing management I hate I hate hate hate you take all that hate you stick it inside and it eventually becomes a tumor and you know

that's just the environment you're in yeah so I was there about a year and a half ago literally at that place I swear to God the name should have been hate everybody in a couple hundred man IT department how many of you guys have hundred several hundred people in your IT department yeah all of them would say they're overworked I have about a 20 man IT support department right now and while there are still some guys are like oh I'm always overworked like I saw your links in moles channel and slack tonight overworked there's a difference between everybody feeling they're overworked and actually being overworked and being inefficient about it having inefficient processes so I was in this place I'm too

busy meanwhile my job what they would ask me to do I could get done in about a half hour a day maybe I would take my phone with me because the internet egress web filters were really well locked down really secure company so I bring my phone with me and play on Facebook played mahjongg clan of clans whatever I had to start bringing my battery in to charge my phone halfway through the day so that I could play in the afternoon on my phone and I bring this up to my boss because you know being bored sucks I know it's not something very many IT people ever have to deal with and I thought I never would but it sucked my I

would come home and just be like so drained from being bored and my wife notices this and just like this job is really unhealthy for you I'm like compared to you know jet-setting and drinking every day and do it you know like all this she's like this is worse you on a hacker conference bender is not good but this is worse okay so I bring it out to my boss like can I do something else too cannot you know you know I have these other skills can I had you know pseudo join this team can I do this can I put this in place no no we can't do that we've got very strict delineated roles

and for least four minutes of that and he starts saying all these security words like it's not really what that means wait wait a second you just don't want too many people to have to I mean like you have some good reasons but for the most part you like having everybody pissed like that was their management style and I'm just like ha this is not gonna work guys how can we measure what we're actually doing so I had a very small group of core guys that I worked with on a very specific team that I will not name because some of them might watch this video later and we said hey we could start tracking this and how much it's

actually taking us to do and the effect on the company and then I ended up also getting to do a fishing exercise which is great because I mean I needed that hit in the arm from leaving hacking and not being able to do fishing exercises I needed another hit of the haha tricked cube drug so I got to set it up but I set it up so that hopefully I would look good or bad depending on how it worked out of yeah we caught the hacking that happened inside but we didn't because that security team they really weren't doing what they were saying and complaining about being so busy doing so we ended up having the numbers to show

yeah we've got 500 IT 200 IT guys however men but this is the amount of good it's doing us and that's the kind of thing where everybody thinks they're gonna have the Bob's conversation what would you say you do here and they start worried about getting fired but what we also figured out was dude let's let's force multiply here let's change some things around so that less people doing less work equals more productivity for what we're actually trying to do rather than everybody grumbling and once you had it measured properly measured work and people could see that yeah you're busy but you're busy equals this awesomeness for the company there was less grumbling there was less you know I

won't say violence because there was still a lot of I don't like that guy in accounting and all this but there were less less interpersonal conflicts so and and here's the thing I don't have a the other story I can tell you specific things make sure you tie it to profit and loss this I this takes a lot of extra work to figure out how to do this for you anybody DevOps fans Phoenix project a few hands okay the three ways and the four types of work that's where you get started now I'm not in a DevOps shop I don't know if I could survive in a DevOps shop but that to me is where you

have to start figuring out okay what is work when bad things happen is that work is it unnecessary work hour changes work or planning work all this kind of stuff so I have no this is how you do it no secret sauce for this but I'll tell you Phoenix project is what got me to that point of figuring out okay this is what is work to me and this is what I need to communicate it better my boss right now he is very fond of hey dude this is what I tested and these are the vulnerabilities that are no longer vulnerabilities on our system he doesn't care about oh I ran this scan and I

could have done this no I'm like oh we're not vulnerable to that anymore yeh that's what he wanted to hear not pet yeah pet yeah anybody have horrible horrible days from that the other day I didn't because I read the advisory in March I'm like oh this is going bad are we passed are we gonna test yeah okay we had this many systems that were vulnerable now we have none of them internet-facing and they're segmented into this network so if some I gets an email we're good and I presented that and it was like okay another vulnerability we're good my CFO still didn't understand what we had done but he went to a CFO gathering

and yeah I'm thinking god how boring is that he liked it apparently because what happened was his his peers were were bitching about Petya and what a cry I think want to cry more than Petya and he was just like I didn't hear you guys telling me that this was gonna be a problem like yeah I fix that and and basically he was like oh I can tell all my peers that I didn't have any of those issues because I got an awesome security guy I'm like yes especially if you say awesome security guy Ben Green Lantern shape but no it still wasn't real just giving him those kind of hackery numbers of the vulnerabilities but as soon as he

could translate it into CFO speak I don't have the same problems as everybody else so I can focus on my profit and loss statements he was happy I still don't know how to talk to Scotts his name properly and I hope he sees this video so he knows that but maybe someday we'll have some shred of common thing other than we both want to do better for the company how long am I talking to 12:30 okay we should be good so this is I have to cite my sources this is a borrowed sale story this is not my sale story but I've been telling it enough I can make it sound like my sales story but I'll tell you the source

when we're done not that slide communicating is nice and all when it's one direction and it's just this is what I did that I feel like IT people can learn we're used to just telling people things and knowledge dumping move and and doing all that it gets a lot harder when it's a two-way communication when you actually have to have a conversation with somebody and listen because who here is great at listening yeah me neither that really gets complicated so the story goes that a new sales director is hired that has had a vast vastly exponentially awesome career of taking sales departments that are flailing and not bringing in money what I learned not too long ago is every salesperson has to

support like 10 other employees with what they bring in and in this organization and the salespeople were doing so badly that they weren't supporting their own salary much less 10 other sounds so they bring a new sales director in and she says this is how we're gonna do things we're gonna change compensation so it goes this way we're going to make sure that we're focusing on these markets in these products and it'll be awesome go and the salespeople generally speaking just like us if you change your compensation plan there will be grumbling I'm being I used to do my job one way and get paid one way now I'm doing my job the same way and getting

paid less because I didn't listen grumble grumble Basile frezzle whatever so sales department does not turn around a few people leave and everybody's like this is scary this is not I don't feel like I'm working in a good environment anymore so luckily one of the salespeople happens to know a consultant and brings this up because consultants solve everything right you guys know that like you can say what the thing that needs to happen in your organization but for it to actually happen you need to call somebody out pay them three times as much per hour for them to say the same thing and then change happens in your organization there's actually a mental reason for

that people listen when you go out and pay somebody specifically to say something you're more likely to listen to it that's like a known thing and why consulting can be quite nice when I was doing pen testing I would go to the IT guy as long as I knew it was okay just like what have you been telling them to fix for five years oh yeah that's what I found - lets go talk about that and then they were immediately like holy and then I would put it in my report things would happen and change they did my budget they're like how do you work this magic like they paid me specifically to tell them what to do they pay you to do

what they tell you to do you just gotta flip the script a little bit no seriously I worked on way to the apprentice which was really fun when it was a social engineering thing they weren't supposed to tell me where the problems worked cycle point so in this sales story the consultant says did you bring these concerns to the sales director do they know you're having issues well no I'll get fired I can't say my mind I can't speak my mind to my boss are you kidding me who's been in that thought I've said yeah so there's not there's Hannah those people I don't know if I want to say it because I might get fired

because they're watching through a webcam but here's the thing and I've seen this on the consulting side but again this isn't my story the consultants consultant was luckily working for the company goes to the sales director and says your people are grumbling and they're worried that they're all going to get fired because numbers aren't doing what you said they were doing the sales director says no that's the point that's the plan they this had to happen so that we could rebound and jump back up that's the whole plan I've done this ten times at ten other companies that's how I'm successful and the consultant to the sales directors do they know that and business director sales director person

late he goes well that's if they didn't understand the why of what I'm trying to do they would ask right they would speak their mind and tell me right I think if something goes well depends on how you've worked relationships in the past and you're new these people don't know you they don't know to ask you and be honest and ask for wise how often have you understood what your boss was trying to do when they bought a new technology you knew why they were buying it how often is it hey we're buying this cool technology implement it did you ask why did the boss have a why are all our bosses pointy-haired leaders that have no idea why they do what most

of us will be grudgingly and not happily say no there probably not it is it is having to look like idiots and they should listen to me more but why you have to build that two-way street of communication of trust before you get to that why point that's also in the Phoenix book Phoenix project book that I mentioned but I actually learned that and I couldn't get a picture because the the Amazon logo of it of the book was way too small so if you write nothing else down during this talk write down this book extreme ownership by Jaco J ACK oh he's a Navy SEAL instructor and he has this extreme ownership book is the story of how he

turned around I don't remember what city it was in Iraq and how what he had to learn to own the situation and change it for better and lead his men and so I like to think I'm okay at leading because nobody's told me I'm not the people that I've had to manage and deal with but there's a big difference between hey I need you to work a little bit late and finish this project and I need you to go out there and get shot at so I kind of take his lessons a little more useful than mine probably his experience is probably worth more than mine so when he says the way you start these

conversations is you have to be the one to take extreme ownership and ask your bosses why are we doing this you have to start that communication and build that trust so that they know that you're a person who will bring up issues and here's the caveat the lesson learned you have to have a solution if I'm gonna take your questions of why I'm doing something as the leader you better have another option for me to entertain if all you're doing is complaining and bitching I'm not gonna listen this much that's not useful that's not productive that doesn't get us anywhere but when you say hey we did it this way because and I thought if we changed it that way it

would do X then you've actually given a possible solution that may be better or worse we've started a dialogue and you can communicate on that as anybody heard some of these see I was gonna put a picture there has anybody heard some of these concepts before in social engineering so that's what I did for a while at perimeter and it was so much fun like walk into a place cuz I look like the IT guy and just be like hey I'm gonna fix copier they're like yes I go and I'm owning everything it was great I started learning social engineering and psychology because I wanted to be better at that and what I found is it

has far more massive effects outside of just walking into a building with a balloon and taking over a network it's taught me that we can do so much more to massage our message as tech people if we have that foundation of there's a reason for doing it if you're just doing it to minute mess with and manipulate people that's fun and all don't get me wrong I may or may not do that just to keep in practice but if you're doing it to make your business better your team look better your people feel better that's not just social engineering man that's leading that's showing them this is the direction we're gonna go into I'm going

to show you how to do it just help and when you provide that demonstration rather than telling people go take that hill you're not just managing you're not just the tech guy you're the tech guy who knows how to talk to people and I can say from personal experience that's exactly what a lot of companies are looking for I highly recommend you pick it up now some people that is no interest for them at all I want to be buried in code 24 hours a day seven days a week don't take me outside don't put me in front of clients nothing wrong with that but if you are at all interested in some day doing something that doesn't involve

lines of code and all of that start picking up social engineering pick up those two books start figuring out how the people around you think and translate things to their language so hopefully what you've learned is that I have utterly failed at my job several times and not gotten fired which is a useful lesson by itself my family is really glad for that three bullets that eat a ton specifically very happy for that hopefully you have learned that yes businesses as bad as you may have it at your business there is worse out there the first story that no matter how bad you may have it with dealing with work there are people who feel like they had

it worse the second story the third story there's a really good book to read because that stories I'm still working on it but hopefully you've learned that there's more to being a good hacker good IT person good business person than just poppin o days because o days if you look at the right product are so easy to find and and some of them are really hard to find we need Travis Raimondi for those things but what I really wanted to get out of this is you can take control of your communication you can do more and do better and really cause some awesome positive change so like Beth said I happen to help out with this really awesome conference in

st. Louis I'd love for everybody who's got three hours drive time to come up September 9th tickets are still open cfb is closed again hopefully people know who's going to be speaking here fairly soon but I'm sure I'll get some people that can't make it for whatever reason I gotta adjust the schedule it always happens if you'd like to hear me ramble more in a text-based form I'm on Twitter and hopefully you can come out there so any questions I've got 10 minutes it looks like and I can talk about other things if there are no questions so I always build that in anybody no impostor syndrome and Donner coming all that yeah the more you know the more you think you

don't know remember this it's not that you don't know a lot that everybody else knows it's that you know a lot that a lot of people also don't know a little bit that you know it helps me sleep at night man questions I will stare at you awkwardly I'm not going to let you off easy the second book that I said was extreme ownership the first one was the Phoenix project both of it is everybody read the Cuckoo's egg that's like the one everybody needs to read Cuckoo's egg Phoenix okay so a book that you also need to know about hacking and just kind of the story of how things work the Cuckoo's egg you never know what

everybody else doesn't know see so yeah and and I seriously I'll put out book recommendations and still up Twitter for the next three days I really like to read the half the reason why I got into hacking and was successful is because yeah I'll sit and read the death r.fp RFC excuse me I'll sit and read the documentation I will find a problem I can read it faster than everybody else and I can output it into it useful for everybody else for them great question next Twitter handle is Sakura CID or the more important one besides steel you might want take a stab at why it's secure thud I don't have anything to give away my cookie okay here next

person asked me a question that's actually useful gets a she shirt I get to determine useful or I'll keep it this is a spunk shirt I only have like five of these actually don't have this specific one the best book I've read for social engineering okay this is a two-part answer and do you have one of these nope good that's an awesome question so there are so many good books on social engineering oh my god anything by Chris AG knotty social engineer org and that's kind of a giveaway to answer I'm not gonna say a certain famous hackers books just because they are good books but I don't think there's a lot of this is how it's done in there which is

a second throw answer the actual one that taught me the most about social engineering that I've used effectively is a book called the Wizard's First Rule and it is a fantasy novel written by Terry Goodkind the first of an incredibly well there you go what's the Wizard's First Rule you didn't read it enough people believe what they want to believe and two parts to it and what they're afraid to believe to me that is the epitome of everything social engineering if you can elicit an emotional response because somebody wants that response to happen or they're afraid of something you have a seed them works an email works in person it is the epitome of all

of it so you really don't have to read the book to get that the first four books are a good series the rest of them then you got a really like iron Rand and let's not even go into that so good question anybody else I still got five minutes I will stare awkwardly nope good guess though think more nerdy geeky no I don't just do that he might play in the CTF I highly recommend okay you're the one that yeah so yeah keep people play the CTF it's awesome what else can we talk about I guess I will give back my time we can cut the last three minutes out of the recording right just the

awkward question-and-answer okay yeah yeah so with that thank you all I will be around the rest today are we doing after-party something is there a bar we should all hit is there a bar you and I are going to hit okay so I am NOT buying drinks but I have way more fun stories to tell you can definitely buy me one I have even better stories for the people to tell it to buy me beer so yeah let's we will have somehow we will say that at the end so that we will go to that bar and yes I'll hang out you got to have some kind of Meetup so alright thank you guys thank the sponsors thank that

[Music]