Common Ground Track — BSides Las Vegas 2022

Name: Common Ground Track — BSides Las Vegas 2022
Uploaded: 2022-08-11
Duration: 10 h 3 min 39 s
Description: All other topics of “common” interest to the security community. What should we, as hackers and the security community, know about? Talks in this track have included everything from hardware hacking to law & policy lock picking to mental health to appsec, and everything in between. Talks often but n

BSides Las Vegas · 202210:03:39443 viewsPublished 2022-08Watch on YouTube ↗

Mentioned in this talk

Tools used

Blue Prism

Vendors

CyberArk

About this talk

All other topics of “common” interest to the security community. What should we, as hackers and the security community, know about? Talks in this track have included everything from hardware hacking to law & policy lock picking to mental health to appsec, and everything in between. Talks often but not always assume only minimal specialized background; they are always framed and interactive discussions with your peers and fellow researchers. No passive lectures “at” an audience.

Show transcript [en]

[Music]

[Music] do [Music]

[Music]

[Music] do [Music]

[Music]

[Music] so [Music]

[Music]

you

[Music]

[Music] so [Music] so [Music]

[Music]

[Music] me

[Music]

[Music] do

[Music] so [Music]

[Music]

so [Music]

[Music]

[Music] do

[Music]

[Music] so [Music]

[Music]

do [Music]

[Music]

[Music] [Music]

[Music]

[Music] do [Music]

[Music] do

[Music]

foreign

[Music] do [Music]

[Music]

[Music] do

[Music]

[Music] do [Music]

[Music]

[Music] do

[Music]

so [Music] so [Music]

[Music]

do [Music] [Music]

[Music]

[Music] [Music]

[Music]

[Music] so [Music]

[Music]

[Music] [Music] foreign [Music]

[Music]

[Music] do

[Music]

do [Music]

[Music]

do [Music] so [Music]

[Music]

so [Music]

[Music]

[Music] foreign [Music]

[Music]

[Music] [Music]

[Music]

do [Music]

[Music]

[Music] do [Music]

[Music]

so [Music]

[Music]

[Music] so [Music]

[Music]

you

[Music]

[Music] so

[Music]

[Music] so [Music]

[Music] do

[Music]

[Music] [Music]

[Music]

[Music] so

[Music]

all right everybody hey uh welcome if everybody could just kind of take their seats shuffle in relax we can close the door that would be awesome

morning everybody welcome to day two east las vegas thank you for being with us today um as you can see we are here for an awesome talk trust me i'm a robot with menron stoller and copenhagen who will talk to you about some amazing stuff just a couple housekeeping matters number one please no recording no anything like that we're taking care of that for you besides photos you want to take photos with anybody you have to ask their permission so we've got that also please check your cell phones we all have cell phones and nobody wants to hear yours for the next hour or mine so just do a quick chat so without any further ado i'm going to let

the people you're here to see take it away and thank you for being here again okay [Applause] all right so hello everybody um thank you very much for joining us here we are extremely excited to be here with you today with me here is nathaniel copenhagen and my name is nimrod stoller we are both security researchers from cyber arc labs which is located in israel this session today is about the research we conducted on the blue prism robotic process automation platform this research yielded eight cves in different severities ranging from medium to critical and today we will be publicly disclosing for the first time three of these attack vectors the full attack vectors which yielded three of

those cves so today in this session we'll be talking about what rpa is how blue prism is going into the picture where all the secrets are but first we want to answer the question here on this first slide and the question is how do we know we can trust robots without secrets how do we know if we see a robot how do we know if the robot is trustworthy enough that we can trust it with our most guarded secrets so in uh in public we can say that robots are either faultlessly or either faultlessly loyal victorian butlers or psychopathological killers so we can take for example isaac asimov's positronic brain robots with their three laws of robotics

you have the three law well a short very short version of the three laws here on this slide so these three laws of robotics are simply carefully engineered safeguards put in place by asimov in order to prevent robots from harming humans it was asimov's way of creating ethical robots robots that would not only protect human lives but also human interests so if we look into our two types the loyal battle type and the psychopathological type which one would be either custom of the robot can you help me here or your problem yeah yeah it probably will be the first time the loyal battle type and we might just consider um letting the letting geyser customers

robots in on our secrets and what about hal 9000 was highly trusted robot would we trust hal without secrets so han 9000 is a sentient artificial intelligence computer that controls every aspect of the discovery one which is on a mission to explore jupiter and interact with the human onboard crew astral crew so in the space odyssey bad instructions given to her directly from the white house believe it or not caused hal to kill the entire human crew for the conservation of the mission so in this case uh which type of robot would hal be or would have fit so it would be the second type zahal is probably the psychopathological killer type and no secrets for hull

anyone here recognizes these robots okay maybe maybe three or four great so these are the daleks or the formidable daleks from doctor who the british science fiction television program broadcasted since 1963 with over 800 episodes today and still broadcasting today so as soon as the dalek robots were created they exterminated as they like to say their scientist created and it was due to his specific command to them that they should become the strongest most powerful in the universe well according to the daleks logic in order to become the most powerful in the universe they must kill all those who are stronger and of course their creator is by definition stronger so again the dialects are probably the second

title the psychopathological killer type and no secrets to the dialects so if we try to answer the question can we share our secrets with uh the robots we can answer it by looking at their programming after all every robot is a computer and computers use some kind of logical programming so if we can somehow get a good uh deep thorough understanding of their software we may be able to tell if we can trust robots if robots are trustworthy enough that we can share our most guarded secrets with in cyber security we call this process reverse engineering or software reverse engineering and this is what we did in our research and this is what we're going to show you

here so we talked a little bit about robots but we said that our research was on robotic process automation so what's robotic process automation well first things first unfortunately there are no real mechanical or electromechanical robots involved in robotic process automation rpa is not about physical robots it is a software technology that makes it easy to build deploy and manage software robots robots that emulate human actions while interacting with existing digital systems and software most of which are windows applications now these interactions usually have some kind of a keyboard injections key injections or mouse clicks and this is how the uh the robots actually emulate how humans interact with those existing enterprise applications so many

many industries are currently benefiting from rpa from banking and finance through healthcare and medical applications human resource management manufacturing customer service all with one common denominator which is the extensive use of enterprise credentials if we want robots to log in access and control those existing enterprise applications we must place those credentials secret passwords in the hands of the robot so we uh we talked a little bit about what rpa is and now we had to choose in our research we had to choose a target so we looked a little bit about the market and we found that there are three large vendors in the market one of these was blue prism which eventually we picked and also blue prism was also

named a leader in that market by both forester and gartner so it was an easy peak for us and we just went online and download their trial software from their website which was just a full software the full-fledged software with a trial license so looking into the blue prism platform we could see that it was based on the microsoft.net framework and written mainly in c sharp and here we have the architecture so the architecture of the blue prism platform is based on four components first and foremost in our prime target is the application server the blue prism application server this is where all the magic occurs and where the logic behind the blue prism platform is stored

and implemented the application server is heavily relying on an mssql database server this is where all the users the the configurations the business processes business processes are the code that eventually runs on the robots and of course all enterprise credentials are all stored in the database server now the application server may be actively accessed by two components so we have the interactive clients and the blue prism runtime resources so interactive clients are the users machines the machines that are used by human users in order to set up control configure the entire platform you may look at it as the graphic user interface or maybe the terminal the terminals that are used to access the application server and the application

server itself is off limits to all users the second the second here is the runtime resources well these are the robots these machines receive their commands or code directly from the application server they would run that code again in order to log in access and control those external existing enterprise applications and of course at one point or another we should have clear text credentials in those robots in that in those runtime resources and those credentials will be again transferred from the application server so we are always interested in secrets and credentials so how are these handled in the blue in the blue prism platform so the blue prism is using a symmetric encryption in order to

encrypt and decrypt critical data on their platform that means that there is only a single key one key well one master key that is used both to encrypt and decrypt their information so this key will be stored on the application servers file system inside an object that we'll see in a minute that is called encryption scheme so in the encryption schemes we may have the name of the encryption scheme the algorithm used and of course the key or the master key used so this will be on the application server the password and credentials on the other hand and all other critical information will be encrypted and stored on the database server this makes sense because

if somebody gets their hands on the database they will only have encrypted information that they cannot use and such an attacker would have to find a way to [Music] get those encryption scheme keys from the application server and that's not easy so uh after nimrod talk about the component in blue prism uh platform we need to talk a little bit about how those components communicate each other the blueprism architecture is implemented using microsoft windows communication foundation wcf it is part of a microsoft.net framework and it makes the development of an endpoint easier and less time consuming let's see how it's done in our case so as in what said we have the interactive clients and the

runtime resources which are wcf clients we also have the application server which called wcf service between them we have a service contract that contains operation contract the operation contracts define the parameters and the return type of the operation in our case the service contract is a c-sharp interface and it and its implementation is a class on the application server itself that implements all the methods the operations so when when the wcf client calls the operation the wcf framework take the parameters and transform it into a transmittable format and send it over the network to the wcf servers then the wcf framework on the wcf servers the application server transforming back to the parameters like a dataobject.net

object and calls operation and after it's run the result transform again to a transmittable format and send to the client so as involved said we managed to download the blue prism platform and we looked inside in our case the wcf service contract is an iserver interface and those all the operations there are many more and the implementation of it is a cls server it's a class that implements the iserver so when the when the client calls an operation it basically use it as a normal object instance of the iserver itself and it calls it like a regular object and use its methods and the wca framework handle everything so before we continue and dive in into our

attacks we need to talk a little bit about dotnet executables donut executables aren't like any other executable they don't contain ins they don't contain um native binary code they contain intermediate language called msil microsoft's intermediate language and when it is executed there is a just in time compiler in the dotnet framework that translate it into binary code just executed by the by the cpu and now we can talk about oh sorry and this is one of the features of the msil it can be transformed back into source code very easily using a reflection tool called dns files or any other tools and it can be debugged like step by step okay great thank you nathaniel so

um finally we've reached our first attack and here uh we will try to define our attack surface and from there see if we can try and steal those encryption master keys that we discussed before so first thing first we started looking into the dot net application using the inspire which shows us this the actual source code that blue blue prism developers see and we soon found out that the application server which is our prime target was pretty well protected however it seems to us that the application server to some extent is willing to communicate with any wcf client on the domain so that means that even unauthenticated wcf clients are able to call each and every one of

the server the wcf server the application servers methods and this now became strategically our attack surface so our goal was now to somehow disguise ourselves as a wcf client on the network on the domain and try whatever method whatever server methods we could in order to somehow make the application server misbehave so let's first look at an example of such a method so as i said every unauthenticated client wcf client on the domain can call create credentials if it knows the correct parameters which you provide now this is the server side so what the server is going to do if if the wcf client calls create credential it will first execute check permissions here in red

check permissions would check if the w the calling wcf client is indeed authenticated with blue prism and if it is it will load the secure method in yellow secure method preamble and compare the permissions of the client with whatever is written in the secure method so if i'm a wcf client and i'm authenticated then if only if i have the permission security managed credentials then check permissions would allow the continuation of the methods in any other case check permissions would return an exception and the execution will be stopped another example of the cls server class server method is this unsecured method so we can we can find a number of cases where the server the application server should

allow unauthenticated wcf clients to actually run code on the server an example is of course the login method so as you can see the logging method does not have a check permissions call and the preamble is unsecured method so this is another example so we had to go over all of those dozens and dozens and dozens of methods server-side methods and trying to find the one that would make the application server misbehave well after maybe three or four passes we found this okay let's zoom in so as you can see this is this method is get encryption schemes that's interesting because this is what we wanted we can also see that it is in the wrong place

it is physically inside cls server but we can see that it belongs to iserver so that's an anomaly that's weird now what get encryption scheme does is it gets the database connection and it calls the local get encryption skills with the connection and true so we wanted to know what that true means so if we dig in into get encryption schemes here we will see that the true is include key and this true value will be transferred on and eventually get encryption schemes would not only return all the encryption schemes of the blue prism platform but also include those master keys that we discussed earlier in in that collection that is returned this one so the only question we have left is

can an unauthenticated client actually call this server-side function or method so let's see a demo so here we at the attacker we are using one and we are not a user in blue prism so there's no way we can authenticate ourselves the we are using one so this is the code that we downloaded this the cl the client code that we downloaded from blue prism and we run it as it is we just added a line there you will see that in a minute now you can see that we are pre-login so we are pre-authenticated login is only after us we added this line the server get encryption schemes and try to call it so again we we may

get an exception but of course no we received two encryption schemes again we are an authenticated wcf client let's look into the first encryption scheme here so this is the default encryption scheme the one that is used to encrypt and decrypt all credentials on the system and we're going to test the key here if it actually decrypts credentials from the database so we're going to copy the key that we received that's the key we're just going to copy it and we've written a small application that attempts to decrypt using the key it's an aes key and the credential we copied from the database and wow this is a secret so our attack was successful and we got the correct master key

that's great so we have the master keys in our hand but coming to think of it it's like having half of a treasure map and we probably won't be able to find the treasure without the other half the other half being the encrypted m and the encrypted credentials so we started thinking about an uh how we can chain other attacks with this attack that steals the master keys and then we thought well where are those encrypted credentials stored they're stored in the mssql database so why not run an sql injection on it

sql injections sel injections are one of the most known oldest and dangerous attack known sql injection is an attack where malicious code inserted into a string and then a path to a database for execution uh there are no way to prevent sql injection is to use very strict input validation and also use parameterized queries the blue prism platform use those rules religiously and we went through the code several times all of it and we didn't find any point where we can actually inject sql so this is why we went to the stored procedures stored procedures are set of sql statement that are stored in the database and then can be reused and shared between applications

it also allows the developers use pre-written queries and that already approved there is another security aspect here it allows accessing part of a table without direct access to the table itself this is a partial list of the blue prism stored procedures we we went through all of them and we didn't find even there any point we can actually inject code but then we found the system sold procedure in the in red this folder contains default stored procedures that come with the mssql installation by default so we went in there and we found this stored procedure spsql exec it received a string through the parameter p1 and then execute it the only question now can we

run can we call this stored procedure through the blue prism application so we went through the code again and we found this method get chart data it's a secured method so we need to be a user in the blue prism in the blue prism platform but we don't need any special permissions we can be any user in the system inside it receive data source name which is which is the stored procedure name and the dictionary param then it connects to the database and calls the local the local method this getchart data and inside it calls the stored procedure using the params dictionary let's see how we can use it so we are in the blue prism interactive

client and as you will see in a few seconds we are a user in the system but without any roles or permission so we can be any user in the platform on our attacking server we have http server that will save powershell code and we have reverse shell net cutting listening mode this is the mssql server as you can see the ip address ends with 148 and yeah so this is our patched client we run it and we call the get chart data method and we call the sp sql exec and use the p1 parameter with our payload our payload will request in http the powershell right here it will request the partial script the

power cut it's an implementation of netcat in powershell and then it will execute it and connect to our reverse shell and here we have basically a reverse shell with anti-authority system on the sql server itself thank you thank you so some conclusion for this attack first of all as you can see sql injections are very impactful in our case we have access to all encrypted credentials and with the attack that nimrod just showed us we can basically decrypt them so great we have credentials we also have code execution on the robot the runtime resources because their codes the process codes are stored in the database and also we have elevated remote code execution on the ms sql server

now we are going to our third attack our last attack this in this attack our target is to access the heart of the blue prism platform the application server itself and we're going to use insecure deserialization for those of you who never heard about insecure desertization we can take for example equifax that at 2017 they announced that over 143 million personal data of their customers have has been compromised this was due to an insecure java deserialization that allowed to run code on their servers let's see how it's done in our case so as we said before we have our clients our interactive plans and random resources and we have the application server the client the wtf client

is calling an operation in the wcf framework transform it into a transmittable format in our case a soap xml this transformation called serialization then it send over the network network and on the application server itself the wcf framework there transforming back into data object this is industrialization in our case we have those clients but we have a compromised client and when the client calls the operation the wcf framework transform it serialize it into soft xml but then the attacker inject his own payload to this xml then it's sent over the network and the wcf framework deserialize the malicious payload to and pass it to the application server but this deserialization happens before we even run

the application server code itself so we don't need any permissions to do this now when we are talking about serialization we need to talk about serialization engines serializers in wcf there are two majors one data contract serializer and net data contract sterilizer net data contract serializer include object type information in its op xml and this is why it's more permissive so we went through the code and we found several methods that use net data contract serializer this will be our attack surface next we need to find the point where we can actually inject our payload and it will be sterilized without any errors so we scanned those methods that use net data contract serializers and we found

that some of them use the type session runner schedule this type is very interesting because inside it it has an attribute and a board clock that is an object type which means it's act like a wild card and can be any object we want so when a client call those one of those methods using random a session runner schedule it looked like this basically on the wire on the this is how the soft xml look like it's it's very big so those are fragments we have the header and we have the body of the stop xml and inside we have the data for the operations and inside we have the session runner schedule and the emma board lock and here we want to

inject our payload let's see how it's done okay so this is our demo for the serialization attack now again we are completely unauthenticated in this case as internet explained everything happens a lot a lot of time before the blue prism application server even gets control so this is our application server at user six and we're going to show that we are we cannot be authenticated we are not a user again user one is not a user on the blue prism platform this is the scheduler create schedule method that we're about to use and as the tenant explained we will be injecting our malicious payload inside this class here the session runner schedule and we're going to use the object m-abort lock

so this is the code that we're injecting and again we're unauthenticated we're just creating the session runner schedule and calling scheduler create schedule and after it will be serialized by the wcf client okay this is the again we've seen this this is the attacker command and control both sides so once the wcf client serializes that information this small application of ours is going to intercept that sopxml byte data and replace emma bortlock with our malicious payload this is the sopixml data we have the header and [Music] the whatever and here the application server at 145 requested the power cat script and we have a reverse shell on user 6 and over the application server and since the

application server is running elevated we are also admin we are running in the context of an admin inside the application server and again we are completely unauthenticated wcf client on the domain [Applause] so final conclusions and mitigations so about four months ago cyber clubs did a full disclosure of 15 attack vectors that's it that we discovered and communicated to blue prism since then we have been in continuous contact with the blue prism security and technical teams and in in collaboration to fix the reported attacks and release software patches to customers as we've seen rpa is indeed very sensitive human operators have mfa multi-factor authentication they can change their own password when they are instructed to

and they are less predictable than software robots robots on the other hand are one-dimensional as far as their identities are concerned with no real possibility for multi-factor authentication this makes them more susceptible a lot more susceptible to attacks such as the ones we've shown here another point here that we would like to mention here and nathaniel talked about it a little bit is that rpa application rpx application server practically runs code on the robots by taking over the database or the application server an attacker gains complete control over the robots and all credentials used by the robots credentials are downloaded downloaded in clear text to the robots so if robots are the puppets the application server is the puppeteer

so due to all we said above enterprises should take recommended vendor practices as a must and be sure to deeply and thoroughly understand the security implications if recommended practices are not followed because of the sensitivity we should always use defense defenses in depth this may be the difference between a successful attack and a failed one so for example we should use network monitors wherever possible we should use and port endpoint protections such as vdrs xdrs and of course protect credentials by placing them as much as possible in external credentials works questions

uh do you think moving to certificates would be at least one step forward so then we can cryptographically authenticate both the client and the server versus passive credentials around it can you repeat the question when moving to uh certificate-based authentication so we cryptographically authenticate both clients and servers do you think that would move something forward versus passing credentials around i think i think these are two different issues blue prism is already authentic using certificate based authentication with tls on both uh client and server but it didn't stop us here because the application server was willing to accept our us as a wcf client anyway the the only issue here was with the encryption schemes used to encrypt

critical data on the application so i think i think these are two different uh things it may be

uh can you pull up that server code block where it runs the dc realized payload again pretty frequently sorry come again where pull up the the block of server code that was running the d serialized payload the block of the this one no the server the server side code that runs the uh the serialized payload the server side you mean this is this is the this interface yes you want the actual listener the receiver the method so the listener receiving it is in the wcf framework it's not part of the code of the application server itself it's before this with net dlls this is where the serialization happened and the deserialization let me try to to make it a little bit

clearer here the thing is the the blue prism application server is expecting to receive parameters it's expecting to receive string name or the session runner schedule right as a parameter now the entity that is in charge of providing this parameter is the deserializer so this serialization happens before even the blue prism code starts running okay thank you okay great is there a specific requirement where the blue prism application server and the database server was running as system because that seems to be an issue as well it may be the the database server was indeed running as a system but [Music] it may be an issue but in any case the fact that we managed to get sql

injection and remote code execution on the sql mssql server means at least that we have access to all the credentials because with the sql injection we can do other things rather than remote code execution we just thought vocal execution was the nicest thing you can do but the idea is that if we have a sql injection we can extract all the encrypted credentials and then decrypt them using the master keys that we stole in attack one but that was the idea we've got about 10 minutes left are there any other questions have you guys looked at other rpa tools blue prism obviously it's one of the big ones uh but uh have you looked at any of

the other ones or um no no we had a we had a mandate for uh for one but we may be in the future i'm not sure

hello nimrod um i've probably thrown myself under a bus here but uh there is representation from blueprism here so if any guys want to have a chat with us afterwards uh we're here and we're more than happy to uh have a chat with you and just a quick note to nathaniel and nimrod it's been a pleasure um you know there was some some stuff that came out of it but we've worked together and it's been great same here thank you very much

um i was just interested in the in the uh i was just interested in the payload uh that was used to uh get through the the serializer yeah yeah that's a good question so the payload uh is basically a a payload in data of net data contract serializer you can use it for with like a what why so serial.net but you need to customize it a little bit because it's not a complete soft xml like the yzo serial for example give you you need to a little bit play with it to build it but it's a basic payload it's not like a any complicated one

thank you very much thank you very much thank you

[Music]

[Music] [Music]

[Music]

do [Music] do [Music]

[Music]

foreign

[Music]

good morning and welcome to b-sides las vegas common grounds this talk is understanding abusing and monitoring aws app stream 2.0 given by rodrigo montoro from tempest security a few announcements before we begin we'd like to thank our sponsors especially our diamond sponsors lastpass and palo alto networks and our gold sponsors amazon plex track and google it's their support along with other sponsors donors and volunteers that make this event possible these talks are being streamed live and as a courtesy to our speakers and audience we ask that you check to make sure your cell phones are set to silence if you have a question use the audience microphone that i'm holding to so that way youtube can hear you

now as a reminder the b-side las vegas photo policy prohibits taking pictures without the explicit permission of everyone in the frame these talks are being recorded and will be available on youtube in the future and we would like to you to please keep your masks on at all times all right all right so first thanks besides for having me here um i'm going to talk about understanding abusing and monitoring upstream if you look like the motor in is in both and so like my main goal is the monitoring part but to do the monitor part i need to do the offensive part right but my main goal is to to to find the monitor parts uh

my name is rodrigo i'm spooker labs i do research interactive texture engineer at temp security in brazil and i live in the south of brazil it's a beautiful place if you want to visit brazil florianopolis is an island so it's pretty good to be there uh proud dad and her husband in my spare time i do a lot of sports i used to do iron man but if you could look for me like i'm not doing anymore like too big for that and my twitter handle is pooker and the motivation about that it started when we a company called tempest about an incident response that was happening and they they told us like we got owned by a apps string instance

that we used to have uh administrator access role attached and so when i was in the car my first stuff was like what is that stream like that time i have never heard before and my second thought was like if that company was our security operation center company would you would you detect that and the answer was no and so as i figure out oops i think you need to start to improve our detections and with that in mind uh i start to study a bit about app stream and talk with ano uh with a shish from call secure podcast and we start thinking like maybe it's time to try to do some uncommon thread detection response for

aws for uncommon service because like we have a lot of works like for ec2 instance s3 rds and lambida and more common service and when i talk about the aws service we have around 300 service and so there is a lot of room and a lot of opportunities for the attackers and so as a defensive guy i started figuring out okay and so this talk this research is a kind of proof of concept like what we should do with uncommon service or service that you have in our environment but you are not a monitor by some reason and and and and show like what you have the a lot of opportunities that you have here

and how we could try to detect or maybe mitigate or or improve our security so i did a a very brief agenda so introduction upstream right um some reco recon attack flow like the way that i built this research and as i said like i'm a defensive guy and so like i'm not the maybe there is another way to do the attacks but i'm just based on my basic scenarios and so some scenarios are boosting some parts like this is not about finding vulnerabilities at the service it's about using the service and the features right and so the the important part for me like since i i do try the detection engineer like the monitoring detection

mitigate and some future work and conclusions so introduction through app stream so what is app stream i i i got a couple of words and and and message from the the documentation so it's a desktop application for anywhere so anywhere means like anyone could get inside that or use that like the applications run inside your vpc and subnets so that's cool like i could put some application maybe some legos application into my my my cloud environment and i have x to the vpc and the subi knight so are you attached to that but look on the attacks attacker cider attack site what what what's the problem like lateral movement so i could get inside break the perimeter and get network

access and so x data and research that you have in your account and so that's pretty cool because i have a legacy application that needs to connect to my rds by some reason and so it's there i could connect to the rds so i attached a roll that has permission through rds and like this is pretty cool but in this the view of the the attacker is pretty good too because if i break that i could access that in resource right integrate with your active directors like pen testers loads active directors because you always have a problem right and gpu processing so we have good processing there like maybe the crypto mining guys we would love to have some

access and so how does it works like you basically you have a builder part and you install your windows or linux or what you need you build your operation all the stuff you need and you you create the users you create the fleet instance and so the user will have access to that application or this os like a better image like it's from a presentation from amazon like so basically you have the image builder parts so you could they have some pre-built applications but you could just install windows and do what you need to create application and so after you you work here everything red you go to the snapshot and it will go to

the image headers and so you could add to the flit and so fleet is where you you do some out scaling like you could do like the things so the users will always have that application read and so the user will connect to the fleet and you have the stack parts that you could do some presence data cloud storage use s3 and because when you access you do your things and so the the instance is terminated so we don't have persistence data and so you will have this opportunity here most of my research of this proof of concept i know i didn't get all the the steps here already mostly i'm i'm i'm talking about the

image builder only and the image i have a bunch of stuff to do here and even if i i had the time to do all the stuffs i probably could not have time to speak about all the stuff because it would be so long and so how it works how my idea worked how in my mind like how i would build this recon and how it's going to work and so we'll have the initial phase so first what do you need we need to see if you have access should the actions relate to that to that service like uh over permissive policy is not a problem at aws like most of the time they have the they they do

administrator stuff and so probably you you find some some some permissions here after that as i validate those permissions i show each permission you're going to need i have access right to string right and when i have access wrap string to do some steps that i'm going to show later i need to do some enumeration about the app stream itself because you have some information there and about the general aws because you need to to to know the the vpcs the subnets if you have some role that could be used with the app stream service in this this kind of thing and so i will do the app stream enumeration and the general aws enumeration

and on the side of general aws i enumeration i would try to see like since i'm going to get inside the vpc i i would figure out like which whip c i want do they have like transgator direct connection so i could figure out like how far i could go like maybe i could go from app stream to on-premise and and what what you need so subnet security groups and this very important part like roles that have trusted paulus for app stream so the app stream when you you created the image you could build the image with that row and the app stream parts i will see like the the image that they have are right

there the image no aws image like when you have no aws image probably something you created and there you have some information from the company maybe something you want the fleet and stacks and the builder image and the fleet part i'm not going to talk about the flip part but the builder image they have the the the possibility about attach a row right and so when you can attach a role or pass the role that means that something could be much dangerous right when you have right permissions to this and personal storage and so it's it's it's a bit part of the the actions that we need like i i split here like image builder

the part the image the fleet and the stack as i mentioned i'm mostly talk about image builder and i will mention image part because there is some easy stuff to do with that that is interesting and so the the very first the privileged collision there is three three ways to have privileged collision uh the very first one like if you have a exis existing builder image with your role already running like someone is working right with a role and testing and doing stuff you just need app stream create image builder stream url i will show what this means and with this this section you guys are url and you type their url in your browser you get

inside the machine as root and you could assume the role that is running with that and so depends on the combination of the facts with just this you could do the privilege escalation if maybe you have some builder image there with a role associated but that role that that instance is not running it's stop it and so you you need the start image builder too and so you start the image and so after that you create the builder screen url and with that you access the machine and the the the most like common part like the most privileged collection for sure right you have the petrol and you have the app stream create image builder and so you create the image

builder you attach the the rope and you have the access to the machine and you could use that role i i have a lot of scenarios i have some live uh not live gym or record demo showing like parts of this and so we have the first tense part right and so with create image builder and are using uh a a builder image that's there like you could create an image builder but you don't need the press role so you just create and you have a machine inside the vpc and the subinat and what and when i'm talking about presidents that come to my mind like what's the problem with upstream on the detection side we don't have detection

mostly and so if they don't have detection this kind of for instance we probably uh will be there forever because if i'm not looking for this kind of actions they will create that like if they don't create some large machine like to be like just a few bucks that you'll never notice and the president's party is really interesting and you could have a presence with a privileged collision with your role attaches and so and so some that's filtration and research exposure like when you have the create image builder streaming like if they have something there you just create the the string url and you have access to the machine and that's it and and if they have

applications secrets something encoded or hired coded on the code you have access and the same lateral movement you could create an image builder as i mentioned and that's the part that i mentioned here sharing an arsenal tool and what is this there is this permission app string update image permission and as i mentioned you go to the the builder part and you create your your own image you could create a good image for good purpose or you could create a malicious image like oh this image i have all my tool sets and now this this stuff and this stuff is on my account i create the image on my account and what i could do

i could share that image with your account right and when i share this image with your account i will do all my accounts update image permissions and this this image will appear as in your account and you don't need to allow that it will appear right and so if i have a create image builder and i i have i i i create something malicious i crea i can create an image builder with my own image and the fun part is it's when you're sharing your image you that decides that they they could use on the fleet and on the the the builder part and not the the target account and so this kind of thing

it's it's something that for attacker for a crypto mining that could be a problem because i could just create an image like with all the mine stuff and so i just start that image and okay it's probably trigger like something quickly but and another point with this update image permission you have in your account the your your application running that you're providing and so i could share that image with my account and so in my account i create the image builder and i have access to the content inside there and this kind of impacts that you're going to have like data leak network access that could like just the cloud part or maybe as i mentioned you could

have the direct connection and people to the to the to the on-premise you could do crypto mine data destruction research for a deck mass user infection i'm not talking here exactly about the mass user infection but the the person's data for the users could be s3 and so i could have access to that s3 and modify something and like when the user access they will have some surprise right and so some scenarios that just drink some water quickly

and so first enumeration as i mentioned that it's pretty important to have some enumeration because you probably need some some some some part of this that's information and and so the the first part i i will make sure that i have access right to those actions and so in this case i just have the create image builder i list the roles app stream trust policy until i have these three opportunities right and so i don't know which one has more capabilities but i could check and the existing builder image so you have like those four here i'll stop it oh and the good points here when you have a roll attached it will show the role so

if i have like to choose something here i'll probably try to use something that has a whole rule attached so i could do a lot of more things and so are you mapping the security groups because another way to just to to have access you could do ssh to that image or you could do something i reverse a reverse shell and so i will map the security group that probably has more parts allow it and so like i i'll do my life easier because maybe i can create an image and so instead of i keep access the control cl the control plane and and have access i could just make sure that i have a security group

that allow me to to get inside that machine and so i add my my key there and i do just network traffic and so probably you're not going to notice and so listing souby nuts and so the subnets and the eyepiece and so like when i'm doing the pen testing the guys are doing what they need they this kind of information is pretty impressive and so those informations together will allow me to do a lot of things and so first the image builder part a resource exposure and so uh all those demos are based that i have read only plus the specific action right so i could i could do something and so i have app stream create image

builder here i i know that this research research video is running so i basically do app stream create image builder stream url the name of the of the the builder image and so it will generate this url and anyone that typed this url in the browser it will open the shell there is no no there isn't there isn't an extra authentication on our actual need and a curious part like if like five guys use the same url like you see each other typing is a kind of google drive like for for a desktop and so when you put this in the the browser rail you are getting inside a machine like if they if you

have like in this case i don't have a roll attached and and so i could not try to pivot to the to the contour plane but but i i have access to i'm inside the vipsy and the subnet so i could try to do some lateral movement use the network part

and so i could create an image to do the same right and so i'm just using here to to show like you create image builder you put some name is you choose the instance type like there is some large instance if they are going to have the phone internet access the iron of the image you you want to use like there is like i think is by default's third image there are different options and so those information that i i i mapped before like the vpc config the subnet ids and security group ids and so i probably use like the subnet the subnet if i know the ip that i i want to to to

achieve it's easier to choose the subnets and the security group as i told before like as more parts open they have better it is right and so with this i could get inside and try to do my things and that's image iron it is that part like if i share my image with the the the target account i could use my image iron here and it will be my own my pre-built tool and so a privileged collision sample i i need the create image builder and press roll and the biggest difference between the other common and this is that i have the i am roll iron that will be the password and i i will

need i will need to try to specify a a rule here and and i roll that i i i have the trusted police and so that why the enumeration is very important if if if you drop my mayo could send you the codes like the code is nothing than a cli with jq like doing some pricing there is nothing nothing different from that and so when you run and it you show that you have the i am really iron with the are the the role that you specified right and so that's the very first step the second step i will create image builder url right and with the same name research v3 research v3 and i will access

and the biggest difference like now they it's a generator aws.config the config has this command inside and if you run that command you have the the keys the keys that you could configure in your machine right and i didn't test somebody asking and but i didn't have time to test like if guard dirty is going to trigger that because i know that where that has now some some new detections that if you have a role attached with an instance and if you pick that role by some reason and use outside or use it in another account it's going to trigger and so i didn't test that but you can use right and so this permission uh

because it is a profile app stream machine role right the app stream machine roll the profile if you want to use the aws cli from this this shell and you you could use and like it depends like probably what's happened with that customer because i was just on the call but it didn't finish like but just opened my mind and and probably like someone gets this and grab the keys and do especially like if it is administrator access like game over right and so it starts uh existing image as i mentioned like you have running and running and so i probably i will prefer something that i have a role right and so i just use a start image builder

and the name of the of the the machine the image builder and so here a quick demo and so i i just run that bunch of bunch of app string and so i show like oh i have created builder allow it here is the app stream trust police that i have so i could choose any one of that and here i have uh machines and just one running with a app so with only this permission i could try to to use this and so what i did is i just tried to create the app stream image builder url to that instance ready it will create the url and you go to your web browser and you

paste and boom that's it you're inside the machine that's pretty simple and that's pretty scary and sometimes

subscribe machine roll that you just type that command and you have the the access to the key and so you could try to figure out what's going on and besides that you have access to that the network the subnet and so with that you could it could do whatever you want internally and so when i i did all these research like those opportunities and those things i i started figure out okay i have those opportunities maybe there is another way to do the same thing but by the end of the day the cloud trail logs will be the same right and so i start okay now the parts that i really want and so it's not our offensive

the idea here is to make blue team great again right so try to to do something more proactive because most of the textures that we created is based on someone else's research like that the attackers go there they do that and do that and we are incidentally responder or the tax engineers okay now we have to create a detection for them my goal here is like okay let's create a detection before someone i read try to do that are they abusing that maybe i don't know i don't think so but maybe they are because since we don't have detection right we don't know and so basically what i'm trying to look in here like from the create image

builder stream url the app stream start the image builder the create image builder and the update image permissions and the key points like talking about monitoring detection like you need to have the detections like you need to have the visibility like since you have cloud travel logs and going to somewhere else you have the visibility but you need to have the triggers the detection and so the detections we are creating here and maybe you have another information to do the incident response and so part of the problem try to find like okay i triggered the because of some event some action here but i will have all the the information that i need and so i i tried to to do

something and so basically create image builder stream url we have the request parameters and the url is high due to security reasons makes sense right if you're not attacker just look up the cloud trails and you should have access to the url and use their url right and so if you don't use it any create image builder streamer are always dangerous so if you have like this you're using app stream your company sony take care maybe you could monitor the source ip but the create stream url there is not much room for specific detections but when i talked about the create image builder so we have more more information there so you have the i am really iron and and

this is cool like because when you have the the event name that has the request parameter i am really iron is where the past the rule is happening and because the pass rule is not logged that's that's set but it's not logged and so this kind of event that we detect past the rule happens happening somewhere the vpcs and so you could like make sure that the the role that's going to be used like for this kind of great image builder maybe something different maybe it's not supposed to use the role uh the vpc part like maybe they are putting their own subnets it's not supposed to go to this supernatural how the the image builder should go

through a specific supernat a specific security group and so and by the end like the image iron and if the the default internet access and so here you have a bunch of opportunities to create detections and they start image builder like mostly you have the search ip address and the name of the the image but as i said like if you don't user is not supposed to user the app stream your company like any action is supposed to be malicious because not supposed to be happening and the update image permission the update image permission you have some room here because as i mentioned like a low fleet and a low image builder like you that ex

specify what the target account could do right and the shared account like here i have a shared account here and you could maybe have a white list of shared accounts that you're allowed to share by some reason and so you could create a kind of allow list and some incident problems that i detect like when i create a user besides search ip and user agent use aws internal and all the parameters i hidden do security reasons so like it's it's it's terrible that like especially like when you need to do incidental response like how i know the user that what or what's created here because like for me it would be pretty easy like i have the crazy user

parts here and the email address because how it works like i'm not going to get in deep on that but like you create a user pool you add the user and the user receive email with their url and the user and pass so he probably needs to use some mao address that's not part of the company right and and so if i i at least have the email address i could just just create a detection like if create user has event name and some email address different for my domain that's a good a good detection but like if you have this kind of problem you probably need to go to the api list of the users you have there and

compare like with which ones the new one they're different and so it's important like just to be ready right that's that that's the point because when the incident happens you need to you start to scratch the information try to to to to find what's going on and if you don't have that information like at least you know that you need to go somewhere else to have that information and another fun part that happened here we have the this this the web console and the web console and here you have the the cli right but the web console the visibility is shared with others because we have the accounts here being shared right and so figure out okay

you create a cs pen detection use the because i'm supposed to go to create for prowler and the product that time is using the cli but when i go to cli the visibility show lies private and so like there is a mismatch here and so i talked to aws guys and they open internal tickets to fix that like because the information is not i don't know how to say but the information is not equal because very important to show like it's shared because maybe you're not supposed to be shared and so like if it's cherry that's a problem already so there's a kind of problem that will detect and that's being said some grad derails

and if you don't need to use app stream then i have stream right but it's going to save my my account or environment where as i mentioned we are talk like for something around 300 service you're being protect for one but probably there is a lot of more room for attackers and so what in my opinion what you should do like allow only service you use like the most important service create a scp like if the servers are not those 10 12 third something else deny and if you need to use app stream like depth screen right actions and make sure that they have condition i i i like to say that ip search conditionals ip search address

pretty cool because like okay the the the key liquid but i need to to have access to something else and maybe have a bastion hold or something like that and monitor configuration with cs pam too because sometimes it could help and future work and conclusions uh maybe explore more fleets and stack as i mentioned i'm on the image the image builder part and a bit on the the image part the red used uh it said how to boost the person's data so maybe there is more opportunities there and stood more about the user point in the integrations um create some sigma rules so i think it would be pretty interesting like create sigma rules and anyone could use the

those detections oh add to paco framework right they they have like 22 privileged collision stuff maybe we could add more and so when we're doing some some testing we probably could detect and maybe create a close goal scenario so you could simulate and see how it works and my as i mentioned my main idea is to create an incidental response you cheat for oncomo aws service and when i am talking about like creating this is it's something like that the main day is like to try to create an incident response plan that you are ready ready right and so know the service you you have no the service you you have no idea like what

how they work and like create detections understand what could go wrong and this kind of thing but you have 300 service right and so like the idea is to create something crowdsources because i would probably look at this because some companies customers have that and so someone some someone i also look for something different and some conclusions deny what you don't need remove builder image you don't need right because like some problems that i i i mentioned there i i need to have my image builder a red built like and running and so if you have no image builder there like i need more more privilege and so if you need to keep doing something by some

reason stop at least so i need two actions instead of one like use condition as i mentioned already understand and study service you use and most important part if you have some service running your environment make sure you have some detection like like some understand like at least go for example for the emma k like permissions.cloud for aws pick the rights and maybe the the management actions about that service and try to see what you how they works on if something logged already or as i used to do like start to clicking everything and see what's going on what's being generated and this kind of thing i think i speak like okay third five thirty six minutes and that's

it thank you very much [Applause] do you have easy questions please [Applause]

no questions ready for lunch all right thank you very much

[Music]

[Music] do [Music] [Music]

[Music]

[Music] do [Music]

[Music]

do [Music]

[Music]

[Music] do

[Music]

[Music] so [Music]

[Music]

foreign [Music]

[Music]

[Music] [Music]

[Music]

[Music] do [Music]

[Music]

[Music] so [Music] [Music]

[Music]

[Music] do [Music]

[Music]

[Music] do [Music]

[Music]

[Music] do [Music]

[Music]

[Music] so [Music]

[Music]

so [Music] [Music]

[Music]

[Music] do

[Music]

so [Music]

foreign [Music]

[Music]

[Music] do

[Music] [Music]

[Music]

[Music] do

[Music]

[Music] do [Music]

[Music]

so [Music]

[Music] so [Music]

[Music]

[Music] [Music]

[Music]

do [Music]

[Music]

you

[Music]

[Music] do

[Music]

[Music] [Music]

[Music]

please do oh wow

the only warning i have though is you may be called upon to provide content for this talk excellent

[Music]

hmm

are we good sweet good afternoon and welcome to b-side las [Music] up after vegas y'all all right this is the technical trap given by josh and leave just a few reminders i would love if you silenced your cell phones secondly um if you have a question please use the audience microphone that i am holding so that youtube can hear you and with that let's get started please welcome josh and lee well hi everybody uh welcome to the technical trap uh as with every good meeting we're gonna have an agenda so we'll go through some introductions uh then we're gonna go into the meat and potatoes for this which is we want this to be very interactive

so you know everyone we're gonna have a session of back and forth discussion please don't hesitate stand up yell things throw things not at me um and let's have some fun with this uh we're going to go through some survey data and kind of something that inspired this discussion and we'll talk about uh the the technical crap and the impact of it and really the goals for today just awareness around the issue and discussion and some strategies to handle it when you find yourself stuck in it and whiskey if there's not whiskey here there should be soon all right awesome so my name's lee um by day i'm a principal security engineer and what does that mean i deal with

super large super complex ambiguous things that other people have not solved specifically in security different areas by night i'm a conference organizer so i am a b-side seattle organizer um i also was helping out with the diana initiative and um i have my own conference larry which is a ocean and social engineering conference i have stickers so after we talk if you're a sticker person please come get some we're virtual this year in october so if anybody wants you know to join us please do awesome and real quick so i'm josh i work as a senior director of security architecture and application security for uh one of the signing companies in the world you may know

uh by night uh or by the next four days i run the security team here at defcon so i spend a lot of time over there so if you see me over there please don't hesitate to stop and you know say hi why this talk it spawned back probably in the may time period where i was actually working with one of my peers and we were discussing uh reviews and she was having a difficult moment where someone in another org had gone up and said well it's great but your team's not technical and this has been the fourth or fifth time they continue to hear that statement and we started to just have the discussion

like what the hell do we mean when we say technical so i did what everyone does on the internet i posted it on linkedin and we did a survey so we're going to go and talk through some of that before we get through all the survey data and that goodness we want to know what you all think so a little fun time when someone is described as technical in cyber security what skill or skills does that individual have uh there's a couple of rules for this time period because we only have you know 45 minutes these are thoughts not a debate and keep your map your answer to max of five words so you know it's not

the you know the story of crimea yeah please i think that they have knowledge within one of the domain spaces of the system what's that when you say what's technical security i think they have knowledge within one of the domain spaces of the syst cissp okay domain knowledge the issp hands on keyboard work hands on keyboard work

understanding of the technical stuff knowledge stuff understanding of the technology the what's that technology stuff okay

they can script they can patch system they can build systems and network concepts so script they can patch and what was the last one network knowledge network network knowledge okay

curiosity and willingness to learn so what was that curiosity curiosity and willingness to learn oh curiosity and i can't spell what else do you say the word technical in cyber security we've so far oh

subject matter expert in a platform subject matter expert in a platform

okay

anything else any other skill sets y'all are yeah trying to think how to phrase this in five words um the ability to quickly learn to an inter at least an intermediate level some single task quick learn new skills skill adoption the ability to produce the right answer the ability to be right okay i guess like in the weeds practical experience so in the weeds practical experience okay

okay

i'd say a troubleshooter a troubleshooter

read and understand code read and understand code like enigma

okay so like a packet level understanding yeah

anything else your your technical and cyber security what skill do you have

being able to be able to explain the mechanism through which the security control functions being able to play in involved con complex explain how a security control functions and operates i think it's the fans let me come this way sorry what was it being able to explain how my security control operates uh security controls aha being able to explain how security control operates being able to talk to engineers

did he get it all right and i heard um talk to engineers can conduct a vulnerability assessment and or a pen test and understand the results can conduct a vulnerability assessment can conduct i'm going to separate those uh but

conducts vmss conducts pen tests

all right so this is a really uh really good uh selection from our from everyone here i want to ask though are there any up here that you look at and uh you would put over in the and i like to call it the vi or nano level fight like you disagree i would say read and understand code would be that kind of a fight because you can be very technical at like packet level understanding you could be very good at that but not know how to write code or vice versa so are you saying that either of those skills are not necessarily required but they would both be considered technical okay is there anything else up here that would

you know you look at you're like well that's not a technical skill uh not to money anymore but like maybe like the ability to use like other pro reversing yeah

reversing tools so thanks for being part of this exercise and actually participating because this is the type of discussion that you know we've been having leading with our teams as well around you know what does it mean when somebody comes to you and says you're not technical enough you know are you have are have you advanced your technical all of these skills like you you look across and i loved um i believe you mentioned the domains um sorry who sorry you mentioned the domains always go across to the multiple cisp domains as well as skills outside of cssp um so when we think about this from you know the the next question that we asked and we asked this question at the

start of what does it mean to be technical in cyber security the next question we asked was sorry um [Music] of these which of these are engineering skills

which these are not engineering skills let's start with that we'll go to the negative security controls and operations because my assistance team does not want to do controls

pen tests for an engineering team conducting them okay i don't know

does anyone have an engineering team that conducts pen tests yeah this is why this topic is so much fun because we have what you know 30 people in this room and we have 30 different perspectives on a definition of a term that we're holding people accountable too

that's a very good point yeah sorry uh the question was what do we mean when we say engineering team because there are there's physical engineering there is our software engineer there's all the domains of engineering um so let me get back into the slide there so i want to turn back over to lee to talk about the the data that we pulled out

all right cool so we actually did a survey um and one of the questions we actually asked was tell us what you think you know technical means tell us what you think engineer means and then just tell us anything else you think we should be aware of like just give us your open feedback um which is in a different order so let's i'll get there eventually i'll go a different order so here's the open feedback we got um i'm not going to read all of them but we highlighted the parts that we thought were relevant right so greater than zero knowledge writing about code limited to no coding experience soft slash people skills personally i

prefer leadership skills but you know trust me uh gatekeeping gatekeeping alright so let's go back a little bit is it open survey anybody on the internet could answer it it's probably people we know let's i mean there's a little bit of that going on um so we did ask people for demographic information and i always think that's helpful you know just to set the tone like who's answering these questions we mostly got a bunch of men answering these questions like we were joking like what does that say about our all the people we know um and we actually got a ton of people with a lot of experience which i actually i read all the data lying by painstaking

line and you could really see some interesting changes that we're not going to go into for this talk but as you went through years of experience that i thought was really really fascinating so everybody just gave us open-end uh comments like way more than five words in case you're wondering and so i tried to group things because i wanted to create like those word clouds so for example if somebody said you need to be a pen tester you need to know cloud security you need to be an infrastructure person um anything in like the assists domains i put together all as security domain um just because that was easier because i mean otherwise you just get like

the world's largest word cloud that would mean nothing to anyone um so you saw a lot of people said security domain a lot of people actually said systems so you you both the systems concept and systems design i broke them apart please don't hate me um some people didn't actually go into security domains you just say security all up and i didn't really know what to do with that so i left it alone um i mean coding's up there like it's pretty big right and somewhere there's scripting not as big much smaller but i thought was really interesting were the number of people who said you have to understand you have to have knowledge um sometimes people might use the word

expertise even right so it's like you have to understand okay cool so what did they say for engineer then i mean it's similar but it's different right like coding is probably the biggest word out there which i thought was fascinating and then build which makes sense right like we all build something um again you got security domain you've got systems i think someone said hands on at one point that got up there i saw a lot of people call out tools and tooling um and controls and so like all the words we use right so we already hit the comments of no but i want to bring it back up again right so i think the bottom two are the most

telling for me right like i love the not technical is almost always a gatekeeping way of saying not technical in the same way i think that was brilliant it's such an easy way to capture kind of what we're discussing okay so we've talked about a bunch of words you all participated you're all awesome um so what's the solution to the confusion well i mean we're nerds so we like went to the dictionary and we're like what does a dictionary say about the word technical what does the dictionary say about the word engineer um so does anybody in here like maintain public works like build bridges or anybody anybody maintain engines anybody like electronic engineer no i was kind of hoping there'd be one

structural engineer no wait there are no engineers in this room [Music] so i thought this was really interesting i also love the fact that engineer is both a noun and a verb that kind of cracked me up when i was doing the work i was like oh i can i can i mean it makes sense right we talk about engineering a solution we also talk about humans as engineers so that's what the oxford language dictionary says um so why do we not know what to call things and why do we have this problem i'll be really honest i do think a lot of it is unconscious bias right like we don't mean to stereotype but we do and

we've all taken like well maybe i shouldn't assume things a lot of us have taken some sort of bias training at work right we all talk about it so i do think that is definitely a problem there's the affinity bias like we like people like ourselves i mean it's really funny if you ever go through your network to spend some time like my network is obviously more heavily weighted towards women even though i'm obviously in an industry that is more heavily weighted towards men but that's an affinity bias um you got confirmation bias hey i do pen testing so i like the person who does pen testing because they're cool i actually don't do pen testing but that

was an example um there's also time pressure right like you've got to make decisions quick so when you think about your interview experience right you're trying to make a judgment you've got 60 minutes to figure out is this person the right human for the right job there's a time pressure there and i also think this one's key we've got a lot of really hard problems to solve that we don't know how to solve there's just too much ambiguity and so we say oh we just need someone technical to solve our problems so how does that impact our industry well i think this data is out of date right we have but they estimate we'll have 3.5

million openings in cyber security now i know there's a big debate whether this is accurate beta or not but look even tech recruiters say there's bias like let's be real like this is a real problem for us and we know that there's bias and performance reviews and promotions and unfortunately the impact women and underrepresented more minorities much greater than folks in the majority and if we want to be an inclusive industry we've got to tackle this so i'm going to turn it back to josh for how we're going to tackle this tackle i used to play football i know this oh wait so this technical trap is a huge impact and anyone can be trapped in this

you think about throughout your career if you've ever had a review where they the review feedback was you know i really want you to be more technical you know i really want you to code more when you're working as a network engineer um these things act as gates these keep individuals from you know progressing in their career and if you're that individual getting told that over and over you're not technical you're not technical you're not technical what are you going to start to believe so i tried to generalize the addressing this for something for both ics and folks who have management so i run a team of about 25 and the first thing that i

tell folks to do is it's all about sitting with the uncomfortable and getting ready to be uncomfortable because there are times that you are the person being held back by this trap and there are times that you're the person implementing this trap we all can have biases so acknowledge that there is bias in our language there is a lack of clarity in a lot of our language and how we apply it and how we measure others against it and take that time to intentionally ponder what that means so when i say intentionally ponder it's really taking a moment to sit quietly and think about your own life experience and do you have an example in your life

where you're like yeah i got told i wasn't technical and i'd like kind of shrugged and went what do you mean question so as a trapper am i making assumptions about skill sets needed based upon me like i've been in this job for 25 years i know what a cyber security professional does and what they need to be able to do do i have any data to support that no but i have my god uh questioning the ambiguous statements so you know even during our interaction here we had statements of like coding or scripting if i walked into uh my computer science class from two decades ago and asked p you know what coding meant

there was an assembler class and there was a c plus class and i guarantee you those classes thought very differently on to what they meant by coding so this is where we talk and we'll talk about precision uh questioning about my default values you know i found for myself when i did this inspection i have the default value of pen testing because you don't pen test you're not in cyber security i have the default value of coding because if you can't do python it wasn't just coding it was python you can't do python you're not in cyber security and i had nothing in there about risk i had nothing in there about controls and you know going across domains

so you know questioning and also getting that outside perspective so as you're questioning going to your peers and going to your friends and having this discussion you know your friends you love them they love you and in that reflection start because again we are nerds start playing some experiments try a new ground rule for behavior like as a manager i cannot use the word technical in any of my reviews as i see when i'm writing my own review i cannot use that phrase i cannot use the term uh coding in my reviews i need to reflect what i'm actually doing you reflect the skill set that i'm utilizing uh and the test the other test and

experiment that i implemented was less instinct more intentional meaning taking that time especially when working with others and working on my own side to say okay what is the skill we're looking at and where are they adding it on the awareness side we joke about the the trap iocs uh the indicators of cot or compromise or whatever we want to call them these days but as a ic or manager take a look at your review feedback i'm looking for those ambiguous statements reading the statements as if you were someone completely outside the situation and going if i read this statement of hey could work on x could work on x technical skill set is that clear enough to actually tell me

what that person should do or tell me what i should be doing or my reports should be doing assignment trends and this is something that i encourage anyone who has a people reporting to them start looking at and keeping track of the type of work that your people are being assigned this is one of those sneaky ones because you know it's a we're all in the security architecture team they're doing architecture work um i found at one point i definitely had one person who was doing way more control writing than they were doing systems architecture and there was a default that had to be fixed at the belief that you know this person didn't have a skill set there

um we talked about the lack of documented scope and you know any time you have a work task or an item having that clear what are we trying to do here so you can actually go and talk about skill sets which brings us into where i talk about precision like

as individuals in cyber security and again i don't care if you are a manager or director a consultant and i see precision is one of the biggest tools to root out bias and to fight the technical trap meaning when you have work that's assigned to you or you're signing out if your work has anyone had an assignment saying engineer a new system [Music] i certainly have and engineer a new data system great the next task was to go break it up and actually figure out what that meant but when it was reported out and talked about all it was talking about was oh they engineered this data system they engineered this system the skill sets needed for the roles that

are actually being enacted and this is where we talk about the day-to-day work and being precise about what an individual is supposed to be doing i'm going to say the the scary word i'm going to say you know career ladders and role definitions who here at work has ever had a career ladder yeah building one or use it so career ladders have a both very positive conversation and a very negative connotation in our industry because some folks when they're built they end up being this check box to promotion and in others they end up being this you know pathway or guide so when you look at a role or an organization and if there are no

career path and i'll use that as an alternative phrase career paths that define skills required not be more technical and when we say skills required we're down to they need to be able to write python they need to build a pen test linux system they need to be able to you know map controls from cyst to stig these are skills that we can measure against and not have ambiguous hand hand-to-sky statements about how someone is doing as you look at those joseph breakdowns one of the questions that i'll ask with each one is if i'm measuring someone on a skill set how do they train on that skill set because if they can't train on the skill

set either i've got a terrible skill set that just no one knows but the mystic master over in some far away land or i've got a skill set that i haven't properly defined and if i'm measuring or measuring folks on skill sets that they can't train on how do they succeed curiosity can only get you so far and the last one i want to call about a precision is ensuring that what we're measuring and looking at folks on and what we're measuring ourselves on is it actually applicable to the core of the role that we're in or the role we're going to or is it a one-off for example i had an engineer at one

point get assessed on not knowing how to implement juniper firewall because the one weekend one time there was a need to fix something on a juniper firewall wasn't their job wasn't their role they didn't know the skill set the feedback came to me oh this person is not technical they couldn't fix the juniper fireball who here can go ahead and fix a gender for firewall wait i thought you were all inside there we go all right we've got one juniper engineer i thought you were in cyber security isn't that a cyber security skill sorry i get a little fired up on this topic i apologize um but so oh dear oh we have the wrong version now

um do you want to just do summary where's the summary slide uh we have the usual fun of a slide issue um one second please

oh there it is we like to hide slides from people apparently i'm sorry that's my fault

actually it's a bit more of an engineering concept so in summary like we all can't fill our roles let's be clear we have way too much demand but we don't need to sink our own ships right like so we need to really let you gotta stop letting bias stop you right so actually this applies i would say even more often when we're interviewing right so you're doing the debrief you've had this great conversation and somebody's like oh i mean they were great but they weren't technical like that there's no way that hasn't happened to people in this room in a debrief so like stop the person who says that and says okay well tell me what you mean

what did what skill do they not have that you think is essential to this role like fight back when people say oh they're not technical because there's probably some sort of unconscious bias going on and like let's just call a spade a spade um i think this impacts ics and managers a hundred percent and it impacts everybody in our industry because either you will be told at some point you're not technical enough or maybe you'll have the delightful experience that i had which was i was working uh for my company on a booth and someone walked up to me they're like you know oh what do you do i'm a technical at the time i was a technical

program manager and they're like can i talk to someone technical and i was like wait i think it's in my opinion like okay like i get it like you heard the word program manager and decided i wasn't technical even like literally it's in the title but it happens right and i think it's how we respond um to hearing stuff like that and we don't let it stop us and as i said it impacts ics managers everybody we all have to be in this together um as we mentioned earlier there's a lot of there's both anecdotal data that we saw um that indicates greater harm to unrepresented minorities than women and like we want to make this an inclusive

industry like we want to make sure there's everybody because let's be clear we don't want diversity for diversity sake we want it because the more people with different backgrounds that come in and join in a conversation you get a better outcome like that has been proved again and again and again so like let's embrace it for the awesome business enabler it is um and to combat it it takes focus you you've got to commit to this it's not something i can just say like oh i'm just gonna like not fall trap no you have to commit um i think reflection is the most powerful tool there is i remember i was in business school and each week we had

to reflect on stuff and i was like this is an amazing tool i wish i had this in my tool set earlier because it just allows you to learn in a different way so reflect like commit to becoming aware and get precise like if you're saying like i need a technical person really what do you need like it's not sufficient anymore to say i need a technical person or i need an engineer what exactly do you need what skills do they have to have when they walk in the door versus what can you train them on like what do you have a really exciting candidate that you believe you can train are you going to let your bias of like

they don't know how to pent us stop you i would hope not but plenty of people do so get precise know what you want and we would love uh feedback like if you like this if you didn't like this um we're feedback at bsidesfeedback.com yeah we just did that in the speaker room yeah we're like that um and we'd love to open up for questions i think we still have time i'm not watching the timer um or anything else like any comments people want to say like really did appreciate everybody participating if you're participated out i understand but if you're not we would love to hear any thoughts this i can do it

i think that buyers are out there being technically not technical can manifest in different ways i have experience with it manifesting from the other side when somebody considered to be too technical in order to be good enough with you know soft skills on these people and this was not based on any kind of actual experience with that person playing that role but simply an assumption that you know a good engineer is probably not also a good manager at the same time right and i think that i mean if that is the case and really it's just a standard for you know like the bias expresses itself in multiple different ways i think that we shouldn't be just looking

for specifically you know bias around the term due to technical but about the biased approach to assessing people you know whatever terms are used to describe kind of the pitch and call the first one based on the frequency of notions so true you know the statement and kind of some re-summarize of like bias impacts in all directions and we talk about so you know getting precise on what's actually needed by a skill set and also taking that time to reflect and asking others to reflect and like why is it that you say that this person who's an engineer doesn't have leadership skills well they're an engineer okay what does that mean and you know some of the times taking

that socratic questioning and just taking someone down that road you get you get some amazing results when that person eyes start to light up and go crap i'm just assuming that oh the engineer can't talk to humans but what do you do what do you do when the person you're talking to doesn't know the specifics and just uses technical as an umbrella term because they don't know what they need so i i can speak from my experience depends situationally i'd love to say that there's a catch-all golden answer but i still i'm following down the if you cannot specify beyond the word technical then we are not in a position to assess the individual if you cannot specify beyond the word

engineer we are not a position to assess the individual and we need to fix that that's the problem now and i'm going to focus on that problem and once we fix that problem we come back to assessing the individual or the group of individuals yeah at least for myself i mean i've experienced this in job interviews and oftentimes coming from people other than the hiring manager who has some misconception about the role is in one case i was interviewing for a security manager role and the director of development had something you know stuck in his head that i had to you know the role had to be a pin tester and i was not a pin tester and in my

opinion that's not what the tournament should be doing you know but he would just couldn't get over that and try to get the job so yeah yeah so the um what i heard was uh around like having that situation where it's not in a hiring situation where it's not even necessarily the hiring and as a candidate you won't know this you won't know who it is on the back end that's like well that person can't bake bread so obviously they're not a good systems engineer loaf of bread is good but one thing i found to be helpful is actually emphasizing my soft skills especially when it comes to translating technical concepts into more approachable things

so being able to communicate cross-functionally to less technical teams actually shows me to be a stronger technical person i think it's called uh counter-signing but basically like being able to dumb things down without making the other people feel stupid has been really valuable in getting myself higher and higher as a technical person because i'm able to get more support from more parts of the company and like ceos aren't always the most technical critters sometimes they're a business critter if you can tell them why you're doing a good job or why the engineer just kicked ass learning all of terraform in a weekend you become more valuable as a technical resource as more like a technical

consultant and so that might be something that is more helpful like to very fun as well as this stuff very true and and i love like taking you know we we sometimes talk about engineering technical like we're this isolated thing that we exist just for ourselves um i other than some non-profits out there i think most of us work for a company that you know makes profit and does something you know and has other uh facilities and like you said to be able to to communicate what what does it mean that the bumper on the car has been installed three seconds faster well that means this in the business world and i know we're having the conversations now

about the csombiso discussions which i think are going to be interesting in the next few years right could part of the problem be the unrealistic expectations of people just starting out in the industry because they're new to it but the cyber security industry is short of people so they have slightly unrealistic salary expectations so in bigger companies to get those roles it needs the title of engineer or whatever so could that be part of the problem i i again i can only speak for for the areas for my experience but definitely we you know we do have um if common practice if you have an engineering title or a developer job class your pay band is different than if you

are a you know technician um and sorry um and you know the other part of your statement there around kind of folks starting out with and i wanted to clarify do you mean the folks the new people have on real expectations on themselves or the companies have unreal expectations of new folks coming in

uh so the the discussion of like i need to come into the industry as an engineer because that's a better pay band so but even at that point as a hiring manager or as someone you know looking to fill out roles my role title may be engineer but my job description and my checklist for all my rehirers are skills and if those skills aren't there then we shouldn't hire that candidate

so i something that i've experienced that i think is tangentially related to everything we're talking about is a desire for candidates and i'm speaking as a candidate going into job interviews a desire for candidates to have the experience which they cannot have without having the experience if that makes sense like getting the initial experience is a huge barrier as someone who's coming into security without an i.t background and that's um uh it can be kind of brutal in my experience yeah what is your background uh i was a farmer um and then in 2019 i took a cyber security boot camp and then kind of went off on a tangent with it and found my

tribe that's awesome hell yeah

startups are so desperate for everyone please go find some startups they have no idea what the hell they're doing they're so precious and wonderful also contracting um contracting is great because if you do a small project for someone and it doesn't work out it doesn't matter so put on your linkedin as contracting oh i keep my client less private that means i can call your references um okay and if it does work out then you do get a lot of really good experience and you can still dip out whenever it gets too crazy so highly recommend startups and contracting and keep trying it's crazy and like adjacent stuff i'm in qa i come to security conferences because

it scares the crap out of me and because sometimes i get to wedge some security bugs in as qa bugs so there are sneaky ways thanks for sure

what about what about these entry-level positions that are advertising for uh candidates with two or three years of experience and assist that so i want to reiterate uh restate the so essentially the question again about the the the hiring field today where we still have this terrible job description mantra entry-level position two to three years experience cissp required which requires five years of experience before you can get the full cissp so the unfortunate side of that is that has to be corrected by the companies like as a as someone coming as a candidate uh you know other than you could say hey this seems like for unrealistic expectations but that you know as a candidate isn't really going

to help you in that situation what i treat it as is those are red flags for me for companies i don't want to work for because they have not taken the time to reassess their job descriptions to look for biases to look for issues and to try to make sure that they're recruiting in a different fashion and opening up the field i don't want to work for a company like that i want to work for a company that's going to have a room looking like this with cool people we're going to have great times and we're going to break some

all right okay well if there's nothing else please if you think of something later please reach out if this was helpful discussion let us know if you thought we it wasn't i mean let us know too that's all i i like all feedback yeah like just be constructive and they might only ask um that's our that's how to get a hold of us and we as we said we're a b-side seattle organizer so you could probably also track us down that way and thank you all for participating we really appreciated it and have a great rest of your day [Applause]

[Music]

so [Music] do [Music]

[Music]

[Music] do [Music]

[Music]

[Music] do [Music]

[Music]

[Music] do

[Music]

testing testing testing

very nice very nice new car smell yeah excellent excellent don't let the get you down yeah i haven't met any besides is good for that i wanted to be

small medium business

good afternoon welcome to besides las vegas this talk is secure i.t operations or how to shoe horn security into a small medium business by carl hurts a few things before we get started please make sure your cell phones are on silent as a courtesy two people on youtube and also people in the audience secondly if you would like to ask a question or participate i would love if you could speak into this microphone that i am holding so that youtube can hear you without further ado carl take it away

hi everybody thank you thank you thank you you're my people um so uh we're gonna talk about secure it operations or how to shoehorn security into an smb um normally when i do presentations when i have bad news coming up i tried to put something really fun and silly on the previous slide like goats being goofy or whatever just to soften the blow there's none of that in this sorry it is nothing but bad news so uh because of that let's just move on uh hi who am i uh i'm carl hurts uh silly c on twitter uh i'm the i.t director at elevate currently in the transition to becoming the security director at elevate thank you thank you very much

that's appreciated um i'm old i have 33 years of being fully employed in i.t um and security uh 18 of that has been in the utility space mostly uh the energy utility space specifically electrical um i am on the board for blue team con which is in just a couple of weeks if you can make it to chicago and you're a blue teamer please come up i am also a co-founder of cocktailcon uh which yeah thank you thank you um but for those of you who do not imbibe alcoholic beverages we always make sure that we have non-alcoholic cocktails shrubs stuff like that as well so we try to be very welcoming and open for people

who just want to experience cocktail cultures even if you don't want to experience cocktails um and uh if you do decide um if you have really bad judgment and decide to follow me if you're not already after this i am silly on twitter um don't expect much security on there just just so you're aware um so what should you expect from this talk uh this is a non-technical talk um i have been in management way too long to be allowed near a computer that has access to things which is good right that's good good security um uh i i'm going to be talking a lot about systems and not necessarily computer systems so that's part of it

just how things are interrelated because one of the things that i want to talk to you about is getting out of the idea that security is its own thing okay uh i'm gonna be talking about the opportunities in security for small to medium businesses uh they are there are lots of advantages that you have from being small in security lots and i'm not just talking about security through obscurity right um just because you have less internet facing ips right there are other advantages and i'm also going to talk unfortunately about the ridiculous number of challenges that we have uh doing security for small to medium businesses uh and there might be some shenanigans who knows

um so how did we get here so this is going to be a bit of autobiography from my experience working with small businesses uh i've again been doing this a long time i've worked at you know fortune 100 companies i've worked at startups work currently at a non-profit for the past 12 years actually um so uh but what is always the reason why a company decides to pivot on their i.t or security strategy right i'll tell you what it is something very very bad happened every time right um because we all you know do the chicken little sky is falling sky is falling plays a big part of why people don't listen to us on that front

um but there's the whole idea of unrealized costs right and especially in a capitalistic society unrealized costs are really really hard to pitch inside an organization any organization doesn't matter if you're a non-profit or a fortune 100 right um so one of the things that you have to learn how to do uh whether or not you're at a big company or a small company is how to communicate that up that uh you know and and of course you know if any of you have uh gone through and i'm going to talk a little bit later about uh risk assessment and doing uh you know trying to figure out the cost of controls and stuff like that um but

they don't speak that language right so it's uh it's kind of a cat and mouse game that you get to play as you go along so the first thing that i will say is once you're brought in and you're expected to fix the problem whatever the event that brought you into that position um work with empathy right um someone something bad just really happened and hopefully you weren't the cause right sometimes you do have to clean up your own mess uh but you have to really understand that someone who may still be at the company could have been the root cause of that right um you you can't be like the i.t guy inside live and just go move right you

have to understand the politics of the situation you have to understand that people's jobs are on the line and make sure that when you're addressing the situation when you're brought in to take that over that you are empathetic not just to anyone who may still be around that was part of the root cause a lot of times they're not right um but also empathetic to the company's need they brought you in to fix the problem right and if you go in there with a very specific mindset of what you want what you as an individual want to get done it can be difficult focus first thing on the incident right even if you're not an ir person they're saying hey we lost

x your job when you first get in is to show the competence that you can resolve the issue issue x um and that can happen ridiculously early i i have one anecdote for you here um it happened to me in the interview process once at a company um so i was brought in for the interview and they were starting to ask some tech questions and pretty basic stuff right and they said hey um so what would you do if there is a very important linux system that the person who uh set it up isn't here anymore and didn't write down the root password so my response was this isn't hypothetical is it and they're like nope i'm like okay this

one's for free hopefully you'll hire me uh you know and y'all who knows the answer raise your hand go ahead you raise your hand first boot the cd right and you get any route without a password perfect right okay so yeah that was a bunny it was an easy question but for them it was just like this guy who knows magic so um you have to again be empathetic don't be the who goes i know better than you but pay attention to what the problem is and resolve it right in this particular case not only had that happened but they had lost another primary server and the backups didn't work so that was the mess that i was brought

in to clean up so um what did i focus on first despite when i would first normally get to a company i wouldn't think that data recovery would be the primary mission but for six months i made my mission to make not only fix the initial issue but make their data recovery their backup recovery process resilient redundant etc right and then they're just like oh you can do all that well here's this whole mess and yes i know i've been looking so uh which leads on to the next step learn the damn organization right um many of us like to go i'm just an i.t guy i'm just a security guy whether you're in the sock the knock

your help desk whatever it is right um but the fact the matter is it and security are both there for one reason and one reason only for people to work right that's it and unless you know the work that your company is doing or the company that you're supporting is doing you cannot do a good job you may be technically proficient you may be fulfilling the job description right but you must learn the company and that means talking to people and i know that can be scary as an introvert believe it or not i am an introvert this is burning the candle at both ends for me i enjoy it but i would much rather be in the

cubicle in the basement by the loading dock doing my thing um but you really really really need to learn the people in the company uh what who are the people in the company well actually i'm gonna take it a level higher because we're gonna talk systems right how many of you show a hands only know the mission statement of your company about a third okay so you know yes mission statements are right but they are also not right because and this you can see this as cya cover your ass right whatever you want but the fact the matter is if you as someone who helps people work and that is the mindset that you have of my job is to help people

work that mission statement will save your ass so many times over because you can use that when you get into debates about costs about anything right you can say well you know our mission is this here is how it helps deliver on that mission right whether or not you agree with the mission is a totally different talk and i'm not going to go into that now because i have way too much material learn who the leadership is if you have access to the leadership in the organization i know a lot of companies really firewall off the executives especially at bigger companies right um but in especially if you're in a position that is deploying security in

any way shape or form whether it's as i t or an actual security department you tend to get a lot more access to those people than your average rank and file employee because again your job is to help people work right and they need just as much help if not more yeah anyone work service desk here service desk show hands you know what the executives are like right so make sure that if you have access to the executives of the company pick their brain when you have a chance five minutes in the lunch line whatever it is right um learn all of the legacy i.t whether whether you're an i.t or security find out everything do as much discovery as you

can without getting in trouble right even if it's outside of your realm there are ways to discover things that isn't using nmap blasting things off the network right um there's human intelligence whatever right learn everything it will save your bacon and it will actually help you when you are working on your stuff to go someone's like well we need to do this and spend all this money on this and you can go well that department over there has already got it why don't we talk to them right you have no idea how many times i have been asked to procure something only to find out later in the investigation process that four different groups had already bought

said things separately because the procurement process especially for cloud services especially cloud services i'll get that a little bit more later um that they're already in the company whether or not it's actual i.t or shadow i.t right so uh find out what you can about all the systems um you know again if oh hey i mentioned shenanigans and they've shown up oh so i'm going to switch hats real quick to one that looks like a miter and i am now not carl hurts i am now a bishop of the church of wi-fi and if anyone would like to have communion with the church of wifi you're welcome to come up here there is no pressure but if

you would like to be an honorary member of the church of wifi please have some alert it's delicious and nutritious [Laughter] so i'm just going to set this out so i can keep my talk going um but uh go ahead and start pouring yourselves and i will oh you need to run i'll do two shots i'll do one with you thank you so much cheers take it off cheers thank you i'll be your deacon alrighty thank you

tastes like the day dad left

so uh hi camera wow look at all of these people i love it yeah make the make those pores no we're good we're good so um i'm gonna go on and uh i mentioned shadow i.t briefly every company has it and uh it's it's if there is security in the organization i will blame it 100 on security if there's not i'll blame it on it but the fact of the matter is every organization has shadow i.t and that is part of what you should be mapping out when you're doing your mapping it's amazing what you can find that people have signed up for free using their personal email addresses whatever right i mean we all know the security

risks of shadow it i'm not this isn't a talk on shadow i.t but map it out as if it's part of your it right don't ignore it because it's not your responsibility because it will eventually be your responsibility okay so make sure you're paying attention to shadow um another one and and this one hurts the most for me these are where my biggest fights come is understand your company's fiduciary positions that's just a fancy way of going learn what they like to spend money on and what they don't like to spend money on right um because it's going to make a major impact on your life at a small to medium business because the answer is they don't want to

spend any money on security period right i've been at my current job for over 10 years and as i said i am just now pivoting to getting the position of director of security from director of it because we finally convinced everyone of that rit our secure it operations is mature enough that we need to start firewalling the two that in order to get higher up the ladder of iterative improvement it needs to happen right um so the answer is no one wants to spend on it uh especially at small companies right um and then uh i would love to keep that as a parting guest it is it is beautiful thank you so much alrighty

uh and last find out what your company's appetite for risk is and if you have access to the executives it is actually really easy to find out what their appetite for risk is um what do they mean for appetite for risk well again it goes back to that mission statement right so i've worked for utilities can you guess how big their appetite for risk is none right i also work for charities you know what their appetite for risk is is it gonna save that person's life is it gonna keep that person from being homeless it do it get it done right two very different challenges but they're both challenges that you have to pay attention to and put into

any math any calculus you're doing inside your head when you're trying to think about how to deploy security in a small business right so definitely pay attention to that it will be a excellent guide post for you when you're making serious decisions on what to spend your limited budget on uh so um i'm going to talk a little bit here about uh some of the some more challenges right and i'm going to break it down specifically to something that as security people you're probably familiar with the cia triad even though this is more of an i.t talk again i want you to think not that i.t and security are different things but they're the same thing right

if you're at a small business which one of these is the most critical to the business thank you accessibility they don't this doesn't even come in the mind confidential and integrity right it only comes to mind when there's an incident but at a small company accessibility is going to be channel a challenge for it from the get-go right even if you're at a startup that has just had oodles of money thrown at them from uh from the vulture capitalists right they don't want they don't care about anything but can my people work right that is always going to be your hardest lift is a making sure accessibility actually works right in the case that and that i

mentioned before they lost their primary file server that's all they cared about how do i get to my files right um you know integrity whatever um they they're like you know many small businesses the same person is doing uh accounts receivable as accounts payable on the same system there's there's no firewall right um the integrity issue it's just not even on their radar so the first thing that you need to do is make sure that accessibility is working right the second thing you need to do is get them to understand the impact of confidentiality and integrity right um and again i'm talking in generalizations uh i'm talking from my personal experience but again i've been around a

long time and been at a lot of different companies and these are things that you see over and over and over again and i'm sure by some of the reaction the audience you've seen it as well um so we're going to move on from the initial you stepped in and you're trying to figure out the lay of the land to how you actually start engaging the company the organization um and again i'm going to use a security framework in this case to talk about it and secure it operations and that of course is cis for those of you who haven't anyone not know what cis is do i need okay we got a few so so um it's the

center for internet security right and they have what they call uh critical security controls and these are a hierarchical step right number one i didn't number them but this is this is going one through 17 17 18 18 controls um they have 18 controls by which they measure the maturity of a security program and i'm really only going to focus on the first two here real quick but i add a little bit to it um so these are the first eight right and the reason why they are ordered the way that they are is that any flubs early on are going to directly impact your ability to work on the controls farther down the line

okay everyone say it with me what is the single most important job of security you should be able to tell by looking at the chart inventory you can't protect what you don't know you have period how companies do not have chief inventory officers is beyond me if you don't know your assets and i'm not just talking about assets with mac addresses if you don't know your assets you cannot secure it and this is why defense is always slower than offense the red teamers will always have an advantage every single point because even though cis has been around for that many years um it's still step one 99 of companies don't get this right and i'm gonna sound a lot like a doctor

from the 1950s with a lot of this a lot of it is no brain stuff in theory but in practice inventorying everything in your company and again i said pay attention to shadow i.t right inventorying every asset whether it's network assets servers desktops people software cloud services knowing at any given point in your company what's active what's available is literally an impossible task who here is familiar with itil itil okay itil uh itill its just like ah wouldn't it be great if um if the world actually worked like itil a lot of our security problems would go away and again because security is not separate from it or literally any other department in your company it itil is literally about

inventorying that is the whole thing um and people have tried to come up with cloud services software whatever to maintain all of it and actually conform to the full itil standard it's like communism wonderful in theory wonderful at scale nada uh so i'm going to just flip to the second slide real quick these are once you get higher surprisingly malware defenses which most companies first thing they do oh we got to put av on our machines number nine according to cis for a mature security program right that one always surprised a lot of people as i mentioned uh at the place that i went data recovery is number 10 but because my company had a very specific

issue regarding data recovery i had to focus on that for the first six months i had to ignore cis and make sure that they were comfortable with their data recovery situation because that was what was directly impacting them at the time um time okay so again these are roughly in priority i'm going to talk mostly about inventory because it is the most basic and also the most difficult um security awareness i want to talk about because that's on here uh so where is it there it is um so it's towards the end don't wait it's toward the end because this is talking about formalized processes i'm very skimming over this very lightly um security awareness they're talking

about a measurable security awareness program by the way know before i just want to say that officially on the camera if you're using know before i'm very sorry um so and if you're from know before hi sorry um when you're out of smb do it yourself to start with don't worry about measuring it's literally just the awareness component right you need to make them aware of how social engineering happens you need to make them aware of um the the very basic content the concepts behind data labeling because eventually if your security program is going to be worth its weight in salt you're going to be doing data label a little excuse me data labeling data ownership

stuff like that introduce the i the concept early on tell them it's coming don't worry about it now but you have to understand some things don't leave the company and other things are okay to leave the company and that someone needs to have the power to decide what's what it is critical that you start teaching people that early this was a little harder lesson for me to learn because again i was trying to stick to cis um a lot at other companies and if you don't get ahead of it it just makes that culture change so much harder who knows you've probably all heard it culture eats strategy for breakfast ten times out of ten right you may have

the best intentions in the world but your company culture is going to defeat it every single time it is undefeated everywhere so you have to be a agent of culture change inside of your organization and this is what i'm talking about when i'm talking about systems right how many of you have really thought that as a security person or an i.t professional that i need to be an agent of change inside of my company it's and especially when you're at some soulless 2 million employee company or god forbid the federal government alan um yeah we have a fed in the room thank you you want to stand up introduce yourself spot the fed he's in the sparkles

um you really really need to focus on that and again just like with the awareness training in the end awareness training is a cultural change right um we always yeah we we want to go oh the stupid user clicked on the link again for the fifth time and they're going back to remedial training and we're not going to let them reply all anymore the fact of the matter is is that what we do on a daily basis is not normal humans do not think about risk generally speaking in general right i'm talking risk capital r hovering in the clouds we think about immediate risks and we have an entire system in our body limbic system

that is built to deal with it and by the way that same limbic system that helps you survive also kills you when it's not necessary right your limbic system is leading to heart disease and stress and you know you shouldn't get fight flight or freeze when you accidentally replied all to an email that should not have been right that is not a life or death situation but your body is hardwired to do that so

when we get on end users because they're not thinking about risk just remember ignorance is bliss it's our job to put that on our shoulders and there's a reason why there's high burnout and there's a reason why there's heavy mental health toll on us and there's a reason why there is substance abuse in our community it's because we are doing something that inherently physically is killing us for a living be careful out there folks [Applause] okay i gotta move on there's so much more to talk about i can ramble a lot if you hadn't noticed um this is actually a very different talk for me because i'm really used to speaking about something very specific because i can talk about

forever and this is a cloud level talk uh 50 000 feet so i got to limit myself here uh so let's talk a little bit more about inventory um i love this scene so much fella could have a good weekend in vegas with all the stuff and one of them is a nine millimeter um so uh assets where do you mention that right what are your assets um anything with a mac address anything with a mac address including your user's home equipment in this day and age right software a little bit easier once you know all the assets if you know all the assets and there's a reason why assets come first services this is where shadow it is going to bite

you in the ass um because everyone has signed up for everything and use it for work um here's a fun one uh so we got a contract from the city to do some healthcare stuff for them we're not a health care provider but we were literally just sending back and forth health care data from the city for a program that we were running you know unbeknownst to me problem one problem two is what i did know is that the city of chicago was supposed to be handling all of this in their portal before the program started it was supposed to be set up and this was a federally mandated program so if you're not running when

the federal government says you're running big problems so the workaround became scanning documents with iphones and sending them to their google accounts and then sending them to the city of chicago who would then email said personal health documents back to us unencrypted this is shadow i.t and again organization high risk get it done people will die if we don't do this no one died but when this hit my desk my pants right like stops now right but because i was aware of it i was able to very quickly come up with solution and really yell at the city of chicago for coming up with that because again we're smb city of chicago says oh just do this

well the city said to do it people how many people in their organization have an hris system raise your hand federal government has one it gets hacked a lot um how many people have their hris system tied into their master it directory whether it's active directory or whatever anyone right do they match up 100 no so even if you have that it's going to be your job to keep track of who has access to what in the end obviously role-based access control is needed right before you even put our back in place you need to start checking out who has access to what right accounts because it's not just people that have access to it

how many people have internal software development how many of the how many of you are aware of how many of their personal accounts get shared amongst the entire team to access github whatever right yeah or you don't know but they are i guarantee you so you also need to invent don't just think about people which is important but you also just need to think at the account level as well so i'm going to talk about a couple of quick solutions real quick i'm going to move on snipe it snipe i t snipey head makes it fantastic free product for inventory uh if you don't have anything available to you get this they have like six dollars a month you

can get the cloud version where they host it otherwise it's free to host on yourself absolutely fantastic open source free system for inventory nessus essentials i like tenable in that is is from my opinion much better than any of the other options both as a practitioner and as an executive who sees this stuff and then lastly a new product organization is different right this is why you need to get to know your organization what field are they in are they utility right what kind of assets do they have um it's it's discovery i find searching for risk enjoyable um it's almost a creative process and i wish i had more to tell you other than you really need to

learn how to prioritize what you're going to focus on first and that is not just company specific but specific to that moment in time with your company because it changes over time um humans are terrible at assessing risk though terrible at it uh again why when i hit reply all when i didn't mean to do i tighten up right we're good at immediate risks we're not good at hypothetical risks because hypothetically it's anything it's infinite our brains don't deal with infinity well we just so there's qualitative and quantitative risk right as a small business forget about being able to do quantitative risk any of you who've done your your cis p right they teach you about quantitative

risk unless you're at a big company quantitative risk is out the window you are not going to be able to figure out if the cost of your control is more expensive than the value of that control how do you even that second part is the key how do you ever come up with a financial number for what would happen if you lost x now yeah there's contracts involved okay we lose that you know there are certain things that are quantifiable but there's always everything that touches it that you can never quantify so i just want to say don't try to do it go on to qualitative risk immediately okay um legal our favorite you need to become friends with legal

sorry you have to become friends with legal if your company doesn't have a legal department i'm sorry because compliance is all about legal whether it's federal governmental compliance or just complying with contracts because a lot of what you're going to be doing is are you in compliance with contracts right if you don't have legal get it policy the big risk in policy is not being able to actually do what your policy says period you will the world of hurt is when you have a policy that says we do this and you're not doing that and then an incident happens and your third party goes through discovery and says oh your policy says you were doing this show us

not just tell us show us you will be right properly um policy i for every single policy in my organization two pages max and three quarters of that is boilerplate about who's responsible for what right procedures stuff like that those can be however long you need them policy short sweet we will do this and we are doing this if you can't do it don't put it in your policy take it out okay um insurance sorry gotta touch on laughs gonna touch on cyber insurance real quick um you have to have it it's only getting worse with ransomware because they've had to pay a lot of money and now they're trying to not pay um the most important thing for your

organization is that your cyber insurance covers communications yes you have to have to ride this ride you need 5 million 10 million 100 billion in insurance whatever but if that insurance does not cover communication of breach you're again very technical term right you're because for states attorneys every single state no not every single last i checked there are 48 different policies around the country about how you need to report breaches that includes when you report it within a certain amount of time when you report how it's resolved what kinds of things you need to report right and for every single missed communication there is a fine right we all everyone likes to think about the

uh reputation risk of a breach and having to report a breach and everyone shits bricks about the reputation risk executives board whatever their what about our reputation there's no reputation to be had if the state's attorney sues you out of existence right so watch your insurance look at your insurance okay i'm running short in time because i talk too much um i didn't move forward okay um how do you get buy-in there unfortunately there's no answer but you need no excuse me no is not the answer let me get that right you can't be the department of no you have to be the department of we can't do that but here's what we can do

or if you don't know what you can do we can't do that but i'm gonna find out what we can do right no create shadow shadow it is your biggest enemy they will work around you to get the job done don't be no say not that but offer solutions and if you don't have the solution right then and there say i don't have this now but i will have it for you by x and give them a solid date that you're going to have an answer by because you can always say oh i don't have it now but i'm going to move x out to here let them know that an answer is coming reassure them establish that trust

board sponsorship i went ahead once um you're not gonna actually get us an actual security department started or get funding for security tools or security contractors without going to the board because your ceo or your more likely your cfo is going to be like well do we need that to run the business it's going to be the first thing to go when they're told every single time that we need to reduce the budget company-wide by 10 those non-necessary expenditures are the first to go every time every time so you need to get someone on the board of directors on your company to be the sponsor for security because when those budget meetings happen and all the executives and the

board members are in a room going over the annual budget and you're in there as the director whatever the lead of security secure it operations and they go well we need to cut pen testing this year and you're explaining that it's you saying that actually because the cfo has handed you what your budget is right and you're like well we were going to do this but there's no budget for it and then your advocate is going to go well why don't we have a budget for that and then you put it back on the cfo to explain why security is not necessary right executive buy-in is very similar five minutes excellent okay uh executive buy-in is very similar to board buy-in

um but executive buy-in is what helps make the culture lift easier the board buy-in helps you put pressure on the c-suite to get you funding but executive buy-in gets the buying into the change of culture much much easier because no one wants to piss off this the executives right or they do because they want their job but eventually their executive and they have the same pressure from the board on them so executive buy-in is what helps you with that culture change alrighty i got very little time for my last section because i talk a lot um planning what are the opportunities and challenges uh the risk of thinking like a security person and what do i mean by the risk of

thinking like a security person that security is somehow its own entity again i want you to think of it as the organization as a system as a body right what does blood do what else does it do oxygen nutrients yes right and your and your immune system is mostly based in your blood except for the part that's tied to the lymph lymphatic system which oh by the way is directly connected to the vascular system right none of these things stand alone in your body neither do they stand alone in an organization you have to think holistically and many of us want to go oh don't use sms 2fa because someone can just hijack your sim and but you know what it's

another step that keeps that attacker and slows them down they have to bother to sim-jack you right rather than just not having it don't let perfection the idea of well the best way to do security is this at a small business any incremental change is better don't fall into the trap of going if i can't do this the best way possible i'm not doing it okay that is why i say about the risk of thinking like a security person because i get in so many arguments on twitter from people just going well you know you can't do that because someone could do this well there is literally no such thing as a secure system anywhere in the

world there's no such thing anything can be bypassed now it may not be able to be bypassed digitally at first it may have to be a multi-factor attack in some way shape or form but there's literally no such thing as a completely secure system so don't get in your head that you need to make a completely secure system because it doesn't exist due diligence very very important last step that i want to really talk about due diligence will save your bacon nine times out of ten and not share see so sorry um due diligence just means can you prove that you have done what you said you were going to do right in the end this is what compliance

is it is based on due diligence uh iso 27001 all it is it's a framework that says what are you doing did you do it okay that's iso 27001 again just like policy don't do anything don't write a policy that you can't comply with don't say you're going to do something and not do it that's what due diligence is you i've gone through so many breaches so many events that people get pissed at first and everyone's scared everyone's limbic system is going out the door but if you can step back and show that you did due diligence or even show where due diligence broke down and understand why you're gonna be okay unless you don't have insurance

that covers that covers communications um okay i'm gonna rant uh if you're from a vendor hardware software if you make me pay extra for single sign-on you [Laughter]

just just you if you make me pay extra for sandboxing i know it's a little higher level as an smb you because my security awareness training is not 100 effective i could be the best trainer on the planet i'm pretty good at training my staff doesn't matter you got people who are clicking because they're preoccupied they're thinking about something else if you are providing a service that is supposed to protect someone from technical fishes well they're you know however it comes from whatever whatever vector it comes from and you have sandboxing capabilities in your product and you're not giving that to me as part of your product you okay um what else um licensing i'm sorry

i can't afford your product if the minimum purchase for the uh enterprise product is 10 000 units i got 200 employees useless oh you can use our smb product you mean the one that just has a slide bar from more secure to less secure no just know um there are so many products like that where they just they give you a super dumbed down version for a small business um i don't want it dumbed down again i have the advantage of being a small company with less assets that i can actually know what i've got relatively well let me have that full control from your enterprise product to lock things down so that i can

get my cyber security framework 1.2 certification and not have to spend 120 000 a year of my budget to get the product that is required for me to get certified for that to get contracts with the federal government to get contracts with utilities right if you are a vendor providing to smbs rethink smbs especially if you are aggregating their data to help your product out in any way shape or form i'm sorry but the surveillance economy is pay me for my data give me your product i'm fine use it for what you want put in whatever studies and say this company sucks look at how bad they are but give me the services for that data

right you can afford it you've got ibm you've got you know companies with more money than god as clients i got a couple hundred people i got 25 people i got five people whatever give it to me you get more than enough data because as we are as we know especially if you are a small business that is a third party to government or critical infrastructure the adversaries know this and that's who they're going after you're the low-hanging fruit protect the low-hanging fruit for the love of god we need it i've been very fortunate at my current position to have a very outsized budget for a company our size for both it and security and i am still uncomfortable every day

at work of what i'm going to find because there are tools that i need not blinking boxes software that i need to automate because i can't just keep throwing bodies at the problem especially because i'm at a non-profit any every body i throw at the problem is a body that is not out there helping save someone's life right systems right nothing stands alone in a vacuum if you're a vendor please for the love of god start talking to your sales people start talking to people about giving your products or drastically reducing the cost to smbs because again there's a reason why this is from this movie it's not a happy ending right we're and it's not just smbs that are

our critical infrastructure and the government is because no one will protect us anyway resources here's some of the things i talked about slide deck is going to be available i still need to put the alt text on all the gifs so once i have this done i'm going to put it up there's my email there's my twitter if you want a copy of the slide deck once it's ready to go do it this is just a little bit of the stuff for those of you who are in the nonprofit sector techsoup is your best friend because companies donate hardware and software to them and you just pay them a fee for handling it i get my microsoft

365 e5 licenses for seven dollars ahead just to give you an idea right it's still expensive for us because we're non-profit but it's not 35 so um oh i skipped over i know i've gone over i'm sorry alrighty um table topping another free thing you can do oh dear for the love of god tabletop people even if your company isn't gonna go okay we're gonna bring someone out to tabletop black hills infosec wonderful company if you're not familiar with them they have pro bono training available up to free if you can't afford it they don't always offer that but regular like at least quarterly they offer free pro or pro bono training they have a card game

called back doors and breeches which is a table topping game that you can use also at that link if you scroll down a little bit they have a online and a discord version of it that is free that you can use inside your companies inside your it and security departments to do table topping so you don't need an expert on trying to come up with these ideas they've they've gamified it for you another free another free thing um as i mentioned fletch before um fletch normally you have to like go through the whole process and meet and greet yada yada like startups this one actually bypasses all that and just lets you start playing with it so around with it people

um nessus essentials for those of you uh tenable is a a great product tenable io might be a great product someday um but nessus essentials is again if you're at an smb a free as in beer vulnerability management system that should i haven't played with it yet hook in the fletch as well um and if not i know the guy who writes the api for tenable so i'll bug him to make it happen um and then cesa who who all made it to the diana initiative keynote this morning where cesagen was there she's amazing anyway um they have a website of all the security tools that they keep track of for free tools and services

i i wanted to put some of that it's a ridiculous list i'm like what the hell is that it's cool so make sure you check that out open source is your friend at an smb um oh hey it's four o'clock um so i think we'll skip the q a and i'll just take it out there okay where'd it go all right thank you everyone

[Music]

[Music] do [Music]

[Music]

do [Music]

[Music]

[Music] do [Music]

[Music]

[Music] so

[Music] so [Music]

[Music]

[Music] do [Music]

do [Music]

[Music]

[Music] so [Music]

[Music]

[Music] so [Music]

[Music]

[Music] [Music]

[Music]

[Music] do

[Music]

okay

all right this is going to go well let's not do that do you want water up here do you want water up here okay all right folks all right if we could just kind of sit down chill out be ready can you close the door back there thank you everyone come on make yourself comfortable all right we're good all right everybody thank you for being here um it's been a great it's been a great conference so far you're about to hear an amazing talk um wendy is amazing she's one of my favorite people and she's going to give you an awesome talk today quick couple pieces of housekeeping uh number one silence your cell phones we

don't want to hear them you don't want to hear them please no recording because we are recording no you know please don't you don't need to um beside that we're gonna if there time there's time for questions at the end i will come to you with this lovely scepter of questioning and you will speak into it so that this can go out on the youtube stream if there's not time for questions wendy will be happy to take your questions off the air which is to say out of this room so the next people can come by with no further ado the woman you come to see wendy knocks everett okay hi everyone uh you can all hear me

cool so i'm going to give a talk that i proposed in uh in may of this year and i was like hopefully this is going to be completely irrelevant and it'll just be like a cool little you know interesting on the side um as everybody is aware that it's not actually a situation so i am or sorry there's been a lot of attention paid to this sort of stuff when like people are all of a sudden realizing like that rights that we thought were pretty well established and our privacy is not uh as sacrifice as we had thought and so i am a fitness tracker user i had a fitbit in 2010 i still wear an apple watch i have

a peloton bike i have a scale at home that talks to wi-fi i've got a bunch of examples in here for my own personal data and i'm a cso at a startup in the healthcare space i know a ton about hipaa probably far more about hipaa than i would ever want to know and i've done some threat models of fitness trackers and so forth over the years looking at sort of privacy impacts and so forth and so this talk is going to go through a lot of things you're going to hear me talk a bunch about data that fitness trackers and so forth collect and one thing i'm going to actually talk a lot about is that this talk is

somewhat irrelevant law enforcement is not actually yet using a lot of this data it's so important that we realize what gets collected and what the protections are but this has not really been used in any prosecution so far this talk is a little bit more speculative and to inform people and to have you think about things i am a lawyer i am not your lawyer but i do want you to take one piece of advice away from this which is do not ever consent to the search of a phone or a computer or anything anytime you are pulled over by police or so forth the one thing you say is i want to talk to my attorney i do not consent

to the search of this car i do not consent to the search of this phone and so as i mentioned we're going to talk a lot about all the very personal data that you know your apple watch and so forth collect and it's still not really being used this obviously could change things are very fast moving i've had to change this talk a couple times over the last two days because of things that are happening but so far it's been all text messages and searches and so forth so i'm going to do a very little bit on this i actually did a talk at b-sides in 2018 where i went very deep into how warrants work how wiretaps work how

prtts work and so if you're interested in this please go find that talk happy to answer questions about it if you go watch it and email me or so forth but i'll just give you a little bit of a flavor of what this is when police are going after the search history and text messages and so forth so a subpoena is one of the lowest burdens of proof essentially um but it doesn't give you as much information it gives you metadata the fourth amendment obviously is written in colonial times and so they thought about this is like well it's not that private the addressing information on the outside of an envelope um everybody can see it and so if you just

want to get to and from information like we shouldn't need that high of a burden of proof obviously anybody who studies stuff like world war ii with the enigma and so forth you can see that network analysis and so forth will actually give you a ton of information but we also have computers now to help us with that but generally subpoenas a lower standard less information less privacy protection warrants give you full content and so there's a higher burden for that these are mostly what are used if someone's going to get text messages and so forth and you need to show probable cause that a crime has been committed in order to get this full content data

related to that law enforcement has started realizing there's all this cool new tech out there with all this juicy information that they could get so they've started using keyword warrants which are very problematic from a civil liberties standpoint you're not starting with a person you're saying i want to find everybody who googled for um like this abortion drug i want to find everybody who googled for abortion clinics in a certain state and so you're basically fishing for your suspects i am going to tweet out my slides so there's a lot of urls and links in here i am at 1dck on twitter so you can find the slides after so if you want to feel

free to take pictures of the slides up here but i will tweet them and geofence warrants are also very problematic these are somewhat similar to the cell site location information warrants the police have done giving everybody that connected to a particular cell tower so sometimes they're pulling it from that sometimes they're asking google for people who are in a certain area these were used a lot in the january 6th prosecution who connected to certain wi-fi endpoints within the capitol building and so forth also problematic from a civil liberties standpoint because you're not starting with a suspect you're like let me throw out a digital uh fishing net and see what sort of suspects might come up in it

and wiretaps which is what i have the most legal experience with are very similar to warrants for stored content and that you get the full content from them the federal wiretap statutes say wiretaps can only be used for certain crimes if you go look that up it's a huge laundry list of crimes there's a lot in there and de-orders there's something else that i have a ton of experience with this is basically subscriber information so you can say you know i'm gonna do a subpoena to get uh the to and from for my communication and i'm gonna do a de-order for the subscriber information from that and basically they will do hops along a network to see who's talking to who and

who these people actually are google is one of the companies that tries to be pretty open about what sort of data they provide you can go to the google transparency report center and they tell you for all these various types of law enforcement orders that i just walked through exactly what sort of information they're going to hand over all of that is kind of cool i'm a bit of a wiretap nerd because i worked on them and whatever i gotta say a lot of what's happening has nothing to do with wiretaps they don't take the time to get warrants they capture cell phones and they ask for permission to search the cell phone and then they take your cell phone

and do a forensic analysis on it there's a lot of tools out there that will basically take phones and extract text messages extract your location history i am not an expert on this stuff there's a lot of people around who are my friend rihanna wrote a really great bed in the hill recently talking about how the federal government really wants to be serious about helping to protect women um they could say that federal law enforcement will not help with these cell phone uh digital forensics searches because right now this is pretty much happening and so as i mentioned people will they will get the cell phones and ask for consent to search it and so consent bypasses all of the

probable cause and other protections that are in place for warrants and wiretaps and so forth so very much do not ever consent to a search of a device even if you are positive you are innocent just do not consent okay so i promise we're going to talk about fitness trackers and i've just been talking to you about warrants and keywords and so forth so anytime you talk about fitness trackers and health people go well the us has vertical sector privacy and health is actually one of the areas where we have a vertical sector uh privacy law called hipaa hipaa does not stand for like health information privacy or whatever it stands for health information sorry

health insurance portability and accountability act originally had nothing really to do with privacy there have been some add-ons with high-tech and so forth so i'm going to go very lightly over this it protects information that originates from doctors from hospitals from insurance companies and so forth it imposes some very minimal security requirements so i tell my dev team you know we need to do this for hipaa but we really need to do this to be secure like the hipaa requirements are pretty low key it has a bunch of administrative and technical safeguards in place like your stuff has to be encrypted oh dear so we had a uh outrageous speaker request for all the hugs

so we formed a hug squad oh amazing ready hog squad everybody

[Applause]

talking about hipaa and getting a hub squad is maybe the bestest

cool so why does all this matter what use is hipaa hipaa really is to protect your health information so that if you work at a hospital and you have access to medical records you can't just go splunking through the medical records to see you know does my neighbor have a particular disease why was a celebrity in the hospital you can only access hipaa uh protected and from health information if you're authorized to access it aka providing care so forth there are a ton of exceptions in there around law enforcement though so since we just talked about warrants and wiretaps we'll go quickly through some of these these are all on the hhs website if you

want to go look at them in more detail so you can just get a subpoena for this information like we talked about to identify or locate a fugitive to basically give over information about a victim of a crime to help prosecute it to alert law enforcement that maybe someone was assaulted and they've died and so now it's a murder suspect or murder investigation in good faith if you think a crime has occurred at the hospital there's also a huge exception for like protecting the president so someone goes to a doctor and says i want to shoot the president they're allowed to go alert secret service that sort of stuff and hhs has recently released some guidance around

disclosures around reproductive care essentially says if you're a nurse and you suspect someone had a miscarriage that's suspicious you can't just on your own go and report this to the police however there is still all the law enforcement exceptions in place so it is still valid under hipaa for basically law enforcement to send a warrant to a hospital to ask for information if they think it's a crime in that area so is all our fitness tracker data like the fitbit and the apple watch or whatever protected by this great set of protections no basically fitness tracker information is created by us and we are not covered entities and so therefore hipaa is pretty much off to the side

so it's a nice vertical uh sector privacy law that gives some safeguards do not apply to fitness tracker data almost always are there some exceptions like if you have a pacemaker um or you're wearing an insulin pump or something at the like under a doctor's orders the information from that is still under hipaa but not your fitbit or your apple watch so what is a fitness tracker these days like we say oh you know a fitbit uh that's certainly one that's sort of the classic fitness tracker my watch tracks you know oxygen saturation my heartbeat and so forth uh my phone if you keep your phone in your pocket while you're walking around it will keep track of like how often are

both your feet on the ground how fast you go up and down stairs i have this scale at home and it reports all sorts of stuff up into the cloud for me i have a peloton because i also stopped going to the gym during the pandemic and i have one of these and it talks to apple health and google fit so the fitness trackers know a lot about uh you know body attributes about us what's our heart rate and so forth they also know some other stuff that law enforcement might be interested in where you were is a really big one and so this is not actually an example from a fitness tracker but i thought

this was like a nice tweet that sort of summed up this is from the recent thing where the tim hortons app in canada got in trouble for tracking when people were coming and going from work and from home and so this is a sort of information that's just available on your phone if you have an app and you've given the app location access there's also a really famous example in this area of strava leaking the private military bases people would scroll around on the map and be looking these really empty desolate areas in the middle east and go why is there like a little square with a whole bunch of people running and it turns out

those were secret forces bases and they absolutely did not intend to do this you know they're very smart people but they're not you know engineers and they didn't maybe notice that the stuff was by default public one that was very disturbing to me is one that just came out somewhat recently um strava's flyby they're like well okay part of the problem with leaking the military bases was that you could see stuff that wasn't close to you so we'll make sure that all the location stuff is near you so if you run past someone maybe you want to find out what the running route is it turns out a lot of people start and end their runs at their home

so you could find someone's home address by running near them they didn't really learn anything from all of this they made some default privacy changes saying you know you'd have to upload runs nearby this is from june i just you know had to pull this after i submitted this talk because you can upload completely fake fitness data into strava showing like completely unreasonable times and it will show you running routes near you and someone used it to discover a bunch of secret military sites in israel so location staff can be very sensitive if you don't think carefully about how it can be abused apple health also tracks location they're a little bit more privacy protective this is from a walk i did

near my house and you can see there is a map there's not really any way for me to share that map publicly so it's in my apple health if you use peloton and you do outside walks with them they have maps and they will allow you to share it publicly so it could sort of go through there but that's not by default public so it's a little better but the information is still there if law enforcement excuse me wanted to submit a warrant for it and finn this tracker stuff is super uh common for people wanting to track their bike routes and their running routes and so forth and so there's a lot of stuff

on the websites for these tools that explain to you how to turn it on how do i use this to track things so in addition to the gps as we mentioned there's a lot of private health information about people's bodies that these trackers have and that they store one very interesting fitness tracker is the aura ring and they have a temperature sensor in them i will i'm sure most of the women in this room know this but for the guys your body temperature changes when you ovulate and so body temperature actually can be a very good indicator of fertility are you pregnant are you not it's different for every woman but overall um and so when i was talking about this

with some friends they're like oh but aura sure the tracking your temperature but you have to very carefully take your temperature if you're trying to get pregnant it's probably not accurate enough it's not really a real risk so aura is like oh no here's how you can use it to track if you're ovulating let us tell you how you do it let us even give you some scientific studies to show exactly how precise it is so as i said i don't think anybody's actually using this in court so far but if you wanted to bring this evidence in or is going to help you authenticate that data to show possibly that someone actually was ovulating stopped ovulating therefore

maybe was pregnant uh so in addition to just things like aura trying to guess if you're ovulating or not because of your body temperature there is a ton of support in these apps for cycle tracking that's a little bit more manual there was a huge wave of articles in may june about should we be using these uh cycle apps should we delete it do we need to delete all this data that can actually have serious health implications for a lot of women who really need to track their cycle the controversies around these actually even predates uh what happened in may this ftc consent order is from january 2011. sorry 2021 i can totally talk um

flow was releasing a lot of data to advertisers and not really letting their users know that like hey you're putting this very sensitive information into the app and you know we're sending it to advertisers and apple health and google fit uh finally woke up i realized a lot of women use fitness trackers and added cycle tracking just directly as like a primary uh sort of thing that can be tracked through those platforms and i think that i took this picture from google fit i actually looking at it i don't remember this is apple health or google fit but it's pretty similar between the two of them you can just go in and enter the data

so i've been tossing around a lot of terms about apple health and so forth these are the four really biggest players in this field and they all inter-operate so when i ride on my peloton i send the data to apple health and then it sends it to google fit so they all have apis and work and so your data's kind of replicating out among there one of the other reasons why these are sort of the big ones in the field is that each one of these also supports a lot of third-party apps these are things like the peloton is actually a third-party app in this uh strava is somewhat a third-party app on you know fitbit and so forth and there's

tons of other different apps you can get to plug in like sleep trackers meditation so forth there's also wildly battering quality this is my favorite fitbit app like we came across this and we were doing you know looking over various apps in the field this app literally does nothing but put a roach on your fitbit watch and have a dance around i at first saw this i was like oh this is like one of those flashlight mobile apps that really steals your contacts but it appears not to it actually doesn't ask for very many permissions it literally just puts a road check on your watch and dance around but if it wanted to it could have access

to all of your health information there's a lot of trust that's happening here and the way that this is governed in the google health and google fit apple health so forth sort of space is through permissions and there's wildly varying permission models among these apple health is really good in that it gives you the chance to app by app share what data goes this is my scale asking for permissions i'm unsure why my scale needs my body temperature uh but i have it turned on because i was too lazy to turn it off i could individually toggle these off and on it also allows it so you can see all the stuff again i'm unsure why my scale

keeps reporting my height because so far as i know it doesn't have a laser height measurement but there i continue to be somewhat short google fit on the other hand has much coarser uh permission sets so you can basically give it access like vital health or not and it's a little harder on app by app to say like yes to temperature no heart rate they do however give you some really nice ways to delete data if you decide you no longer trust google fit no longer want to use it they have google takeout and a bunch of other stuff but right from within the app you can go in and delete a bunch of saved data

and so one of the other nice ways to see all the data that these apps support and that you can save and whatever is to go through their developer notes so i've spent tons of time going through developer sdks in the health space and looking at like what could i be storing in this system so here i can track cervical mucus which is something that people look at if you're pregnant if you're trying to become pregnant um this would all be obviously so far self-reported i believe you could write an app that attempts to auto write this i can report the results of an ovulation test if i wanted to i can report spotting if you're looking

to prove that someone had a miscarriage this might be some data that you would want to look at and it google fit has an api to read and write it so one of the other things in addition to the primary health stores and the third party apps is embedded ad libraries because this is the mobile ecosystem that we live in and it's actually not often displaying ads to you like there are certainly apps that will show you ads this is much more the apps collecting data and sending it to third parties you then want to use the information to market to you apple health has recently done a bunch of basically ux improvements to surface to

you what sort of permissions stuff is going to request this is the moody cycle tracker uh showing you roughly what types of data it's going to to collect this is another one which i cannot remember i should oh flow this is flow showing you uh what sort of data you're going to collect you can see it's a little different the data linked to you location and usage and so forth here we had a bunch of other stuff that is not linked to you so this is a much more privacy protective app than this one and so flow had the ftc consent to create it's part of why i went i was like i'm curious what they're

showing that they're using and so you as a user can educate yourself and say like oh well i'm a little concerned about all this data being linked to me and flow holding it you know maybe i'm okay with this being in apple health uh data centers because apple health has a really good legal team they have strong protections and we're going to actually talk about how apple health stores this stuff but who knows what flow does maybe flow has a server uh under a developer's desk plugged in like at their home like i am unsure what their security and privacy protections are hipaa does not apply so you know we're not necessarily even encrypting this

stuff the other one that um is not as invasive as ad libraries but is also somewhat of a problem is uh the crash analytics and usage and so forth stuff that you can include in your apps a lot of developers include third-party things that will basically clack track how people use the apps or where are errors occurring they're really good for helping developers make the app better because they give them a lot of useful data side effect of that in a health app is that they're going to know what was on essentially the screen where the error happened uh maybe you know your heart rate spiked really high and it couldn't handle a heart rate

of you know 199 beats per minute and so therefore you overflowed some field and so now they have that information also and so again this is just an apple health app screenshot sort of showing that it's collecting usage information and it's linking it to your account so you can collect it a little bit more anonymously or tied to a particular phone

so we're putting a lot of trust in the companies that hold this stuff and we think a lot of times in the field about protecting from like hackers uh protecting you know from accidental data breaches and so forth we don't always think about protecting from the government um unless you know you've been in the civil liberties space for a long time this is a little bit more of a new angle on some of this and so there's been a lot of talk about you know like what is microsoft going to do uh what is amazon going to do and part of the reason why i had to redo this talk this week is i believe on monday this came out

there's a teenager in nebraska who had her mom helped her self-manage an abortion her friend went to the police told them about this the police came and interviewed her she scrolled through her phone while they were there and so the police got a warrant this came out i believe tuesday i think i put the slide in on tuesday they released the warrant saying well we saw them scroll through the phone and we believe there's evidence evidence of a murder in the facebook messages that she showed us and they went to facebook uh with a warrant for facebook message data about murder uh the messages uh were released and so uh the police are saying that this shows

that yes she did have an abortion i think they said 24 weeks which they say is illegal in nebraska and so i put this in mostly to show that still we are not really looking at fitness tracker data yet like it's great that we're aware of all this and we do need apple health and google fit and whatever protect this information if police become interested in it but that's not even where the fight is right now the fight is over you know messages and whatever but they do have all our health information and it's apple is pretty open about like google what sorts of data they will turn over in response to what sorts of legal requests that come

in apple's legal process guide again that's a link you're welcome to click on it when i put the slides out we'll give you extensive information about what you would get in uh you know in return for a warrant and so forth apple stores all health data in cloud kit which is what they use for icloud and so it is actually end to end encrypted and it's fairly limited uh what apple can actually see this is very similar to the problem that happened with the apple versus fbi fight uh where the messages were and encrypted and apple's like we're sorry we can't give you the plaintext of this because we don't have access to it this is

similar to if you use signal or some other end-to-end encrypted messaging service and apple has recently put out some guidance about how they protect users health data um talking about you know its end and encrypted we use very high standards of security protect it and so forth uh google also put some stuff out saying yes we also protect health data one of the things that google noted is that google fit is a fairly small player in this space but google maps is huge a lot of people use location history i actually have location history on my phone i found found it super useful if i want to be like oh my gosh i was on vacation this

place i went to this really great donut shop and like i want to go back when i go back three years later let me go like look roughly at the dates and see where i was and so i personally have found a lot of use out of it so i keep it on but this is again you need to think carefully about should i turn it off for a few days should i bring my phone with me um i know people generally recommend like if you are in one of these situations don't do something weird like you always use your phone all of a sudden you don't because that can look suspicious um but that's a little bit outside the

purview of this talk but so they realize that this location data is very sensitive i don't want people to have to make these uh choices about like do i incriminate myself and not bring my phone to incriminate myself by bringing my phone and so they're on their end deleting a lot of location data in sensitive areas um they are basically improving the sort of information that they show you about what the health apps track so very similar to those apple health screenshots that i showed they're doing some work there too and they have basically a little verb about how they push back and over broad warrants so i know from my time working in this

stuff that there are all kinds of ways that lawrence can be goofy and you can either choose to be like okay i'm going to read this as it really should have been and give you the data or i'm going to reject the entire warrant on a technicality and so they try to push back a lot of technicalities that can be very expensive it's a lot of attorney attorney time so google can do this but a lot of the smaller folks can't and also remember this data is also in the smaller third-party apps and so i was like i wonder if any of them are putting out guidance like apple and google just did it turns out not really

this is flo's privacy policy they know like hey we secure your data and they actually say like hey you might not want to delete your data because then our app might not function the way that the way that it's supposed to aura ring has some stuff up where they talk about locations and period protection whatever they don't say a lot about what they're going to do in response to warrants that come strava also has some stuff up talking about the information that they have not really a lot about hey what are we going to do if we get a warrant for someone's location information showing that they were near an abortion clinic or not so as we've been mentioning

a lot of this fitness tracker stuff really is just circumstantial evidence was a person pregnant are they now not pregnant did they go near an abortion clinic this is not like a text message saying i went had an abortion so one of the things people are concerned about is the states where abortion is illegal after six months sorry six weeks or so um that they will try to find like the date of a woman's last period and use that to prove that you know we know an abortion happened and it happened after a certain date that is illegal in this state and so there is a lot of concern about what they could infer from the fitness

tracker data again i have not seen any cases where this has happened yet but we're also still very early days one of the scenarios here that people worry about is traveling to another state to have an abortion so did you go to that state were you pregnant when you went to this state are you now not pregnant there's been a lot of speculation about what might happen here what will happen with crimes across state lines and so forth another one is i'm at home and i order mill water pills or i get a hold of pills some other way and i do a self-managed abortion at home this is probably where they're gonna look for

search history um probably what really seems to be happening in these sort of cases is what happened in nebraska where you tell someone that you had a self-managed abortion and they go to the police um so i've seen a lot of stuff out there saying honestly the best advice here is to think very carefully about who you trust and who you talk to and again this tends to be search history and text message or you know facebook message sort of stuff so a lot of this like in all things since computer security comes down to it depends uh what is your risk model i am still using fitness trackers i'm also extremely lucky to live in

washington state and i'm a very privileged person where i could up and fly to other states or i could probably go to canada very easily if you are a teenager living in texas or so forth you're in a very different situation than i'm in and one of the things that's very scary with these is pretty much any woman could be subject to an ectopic pregnancy if they accidentally got pregnant um and those are always fatal if they are not handled and there's a lot of state abortion bans that are trying to include these so this is non-opsec talk but i'll throw a little bit in here new york times had a fairly good article that was written you know mostly to a

general public that talks about a handful of things like turning off location sharing although again think carefully about turning it off just for two days um resetting mobile tracking ids on your phone so that you can't necessarily be tracked across all these different apps telling google to just never store location history and so forth there's a group called digital defense fund it does amazing work here if you're interested in this stuff they are really who you want to talk to and read their guidance they have a wonderful abortion privacy link up on their website and this is a really great graphic that they made and talks about all kinds of ways to protect yourself like these are the

experts i know about hipaa and i know somewhat about threat modeling fitness trackers i am not an abortion privacy person i mean i guess maybe i kind of been since i gave me this talk but not really these are the experts this is who you really want to go talk to and these folks have done some vetting of period tracking tracking apps and i went and looked at them and i agree these are probably your best bet if you need to use a period tracker um because they're not tracking that much and they're very privacy protective so like apple health is end-to-end encrypted and you have apple's attorneys um and some of these are tracking chests locally not

syncing it into a cloud so if you want to use one those are pretty good options but again really it's this fitness tracker stuff is kind of cool as a privacy nerd it's interesting to look at but this is not where the real threat is the threat is text messages and so forth and they're looking at search history so throw up a couple resources these are people who are actually experts in this kendra maggie and emma did a really nice medium post uh fear uncertainty and period trackers that really goes through a lot of this and they have sort of a follow-up talking about like how period trackers could be used to try to prove women are pregnant um it's

great and so that is my talk i think i have some time for questions cool okay and somewhere around there is a mike

all right if you ask a question if i can't hear i'll ask you to come up closer to me and i will try to repeat it so who has one

okay the question was i talk a lot about end-to-end encryption as a way that companies can protect user privacy and there's a question are there any laws about that like he said specifically about deleting data oh wow that is the canon the worms uh kind of worms i somewhat was avoiding here uh if you work in this space you're probably aware there's a lot of push to say that law enforcement has to always be able to get into messages it sort of comes from an apple versus fbi fight with terrorism there's a lot of concerns about csam child sexual abuse material and so forth these are very legitimate concerns they still have very far-ranging privacy

issues and obviously if you have end-to-end encryption that is intentionally broken by law enforcement that is in my definition no longer end and encrypted i do not trust law enforcement to keep the whatever escrow keys they use private uh you can all go read about matt blaze's fun with the clipper chip um i'm a huge fan of encryption history so yeah well that is a huge uh policy sort of fight that is happening in the us and the uk in australia and i have given talks on it i'm not an expert on that uh write to your senators and tell them we still need and then encryption because it does more good than harm

foreign

so the comment was that you can just not collect data um so those period trackers that i showed um at least yuki and drip sort of take that approach that is very hard in our ad driven ecosystem i spent many years at amazon as a developer working on personalization recommendations i'm well aware of the business need to collect a lot of information it is such an uphill fight there are people who like you know try to fight that i use u-block origin in my browser which blocks a lot of stuff and i still get ads follow me around the internet and i'm like okay come on i'm using chrome with this ad blocker why do i see the same pair of

shoes on every or you know forced into my facebook feed or on instagram and so forth so yes uh but i really don't like privacy and security advice that sort of puts the fault on users i prefer policy changes and so forth and so i yes that's a way to protect us but it it's not a really realistic answer any other

no other questions all right awesome thank you so much for coming to my talk [Applause]

[Music]

[Music] [Music]

[Music]

do [Music]

[Music]

do [Music]

[Music]

[Music] so

[Music] so [Music]

[Music]

all right oh i'm totally doing this on tiptoe all right everybody thank you for coming uh if we can get the door closed thank you for wonderful b-sides thank you for being here for our very last talk uh we have an awesome talk on busting biases in infosec and everybody's probably heard my spiel about please keep your cell phones off please don't record things because we're recording it for you if you have questions at the end try to speak up you'll repeat them if not you can always come up to the mic i'm going to get out of your hair and out of your way so we can hear this talk cool so who answers

to the pronoun i or you don't raise your hand [Laughter] that was good i didn't expect that what's really funny is that i said you at that point and there were multiple people who rose their hands all of you identified as part of that you even though i was talking to a group isn't that interesting but if i say who answers to the pronoun i are you the rest of you and your brains just went they're not talking about me now he's talking about that person this gentleman here said well he's not talking about the rest of everyone he's talking about me there was a part in your brain that clicked on and off without you having to

analyze what i was saying think about it there was something in your brain that just clicked and said that's me what was that you see over the course of millennia and hundreds of millennia that we've existed as a species but as far as brains have existed throughout millions of years evolution has essentially crafted our brains to develop patterns and these patterns have done all kinds of things for us mostly around survival right if your brain doesn't develop a pattern to identify the rustling trees and the rustling bushes as possibly dangerous there may be a bear or tiger or something back they're going to eat me i need to get out of here you probably didn't survive long enough

to pass on your genes and therefore your brain functions the people who did develop patterns and the animals that did develop patterns to react and to be able to form those split second they're not thinking about it it's just the instinct that gut feeling those are the ones that survived and so these brain patterns exist and these brain patterns persist even today and even walking in and sitting down i've already shown how you've already made a couple little assumptions there but even walking around you've already seen by by processing sensory input about what's going on up here with me you've already made assumptions you may not realize it for instance you may think that i can see you right now

i can kind of see these people up here i can't see really the rest of you you're a blur and it would really help if i wore my glasses these aren't my glasses these are some empty frames now how many of you thought those were my real glasses there may have been a few of you you didn't think about that you didn't go oh i handled your glasses and you you can probably see with those your brain matched a pattern made an assumption did not arise in your consciousness to see that but now when i did that just now put my fingers through the frames and revealed that for those that didn't know it probably

twinged you a bit like oh wow i got tricked just a little bit it's not a huge trick but it's a little trick courtesy of uh the great james randy but you probably had a little bit of wow something happened there that something happening there is your brain going wow my pattern didn't work i need to develop a new one and so now your brain's already saying we need just like a just like a sim rule a similar you're already starting to slightly adjust your pattern maybe i should see if there's some kind of reflection in the lenses before i just assume someone has glasses on or maybe your brain just goes like you know what this was a weird

one-off situation and i don't need to develop a pattern for that whatever but your brain is raising alarms now the question is is you didn't do a thing about that you didn't decide for any of those things to happen to you they happen to you so the real question is is what choice did you really have over any of that thanks for coming to this talk my name is odd job and um i am a co-founder board member and ceo of circle city con and i've been hacking for 10 years in fact it's really interesting my first defcon was defcon 20. noob so that's been really fun to be able to speak at b-sides lv's ninth year so i'm

very happy to have that i also work for fortune 500 as a cyber resiliency director and just a fair warning i am not a psychologist i am not a neurologist i've just learned from some of them but i am no way trained uh oh i am being approached i need an adult it's okay i'm not a roving bartender [Laughter] i am an evil fairy and i believe you requested oh my goodness it is perhaps possible that i did actually i forgot i requested this uh oh wow [Music] all right well you're gonna get milort faced through this whole talk that's true

it keeps going too like ah like you know how like a wine kind of develops that just kind of yeah it's glorious and there also may be some advice that i give that might be considered somewhat of a legal nature but i'm not a lawyer and i'm not giving legal advice go talk to your lawyers about some stuff that you may find legally i don't know suggestive later uh so here's what we're going to talk about we're going to talk about base assumptions about our brains because that's where our base assumptions come from right and then we're going to talk about some biases and fallacies and what those are functionally within our brains what those are

we're going to talk about how bias arises in infosec so how do we see biases in our everyday lives including in our jobs especially when we're trying to convince people to maybe do certain things or not do certain things we may have to help them overcome their bias and we need to overcome our own on various levels and then we're going to talk a little bit about things you can do to help mitigate or kind of start on a path to notice and mitigate your own biases and there's some junk down it there at the bottom of this uh slide don't know where that came from but so let's get so let's get back to this

because we didn't we didn't answer that question did we who answers the pronoun i or you well again it's all about brain patterns and the real question is what are you yeah you're the meat suit but like what are you so what is generating the eunice that sounds like woo but we're gonna get into consciousness here so i want you to take a moment to hold something in your hand it could be your badge could be a can of something and i want you to feel like there's there's some texture maybe there maybe there's a corner don't if it's coke can don't like cut yourself on any of the thin metal um but yeah just kind of carefully and

think about that you know notice what's happening now it's interesting because the sensations you're receiving obviously are the touch but the quality of those sensations that are going on in your brain right now you have no control over those are things your brain are just doing for you it's popping up in consciousness everything you're noticing about your badge by the way you now have a better understanding and feeling for your badge than you probably did five seconds ago none of that is your decision you're not making any decisions about what's going on right now with how you're thinking and the way your brain is right now formulating what it thinks and what it's doing with this so this is very

important to kind of understand so the other question i want to ask is

essentially make sure i have a on the right slide there okay so the other question i want to ask you is i want you to think of a song that you like now you notice i put some patterns in there or some pauses in there one of the most interesting pauses was between song and you like how many of you when i said song immediately thought of some kind of song okay was it a song you liked okay someone said no that's interesting because your brain actually does like to remember negative experiences more than positive but if you've listened to that song loads and loads and loads of time that pattern may override the negative

pattern so that's interesting but the point i'm getting at is you didn't choose what song popped into your head you didn't go of the library of music that i'm aware of in my napster down i mean my apple downloads that's the song i want to choose your brain said do a lipa right something that was it okay awesome i'm a mentalist [Laughter] so but you've got that you did not choose to select that song of any choice we could possibly think we really make in life that should be a choice we think we should be able to make because it's completely within us that's nothing to do we think with the outside world but but let me ask you another question how

many of you think if we were to go back just however long it takes to go back to the time before i asked that question and you know nothing about what has happened over the last 30 seconds how many think you would have chosen a different song neurology tells us you wouldn't your brain state would be in the exact same space as when i asked that question and because it was and the circumstances are the same given everything's equal you would come up with the exact same thing now if i were to ask it you'd come up with a load of other things but again you're now in a different brain state okay okay okay so what

control do we really have over our minds then we don't know we actually don't know this this is something that's very misunder not misunderstood but there's just not a lack of knowledge in there um a lot of the things that we have just i've just triggered in you to think about don't lie at the high level of consciousness because you could review your choice and be like i think i actually really like this song more you could do that and to that level maybe you have a choice but that gut instinct you did not have that choice so really what i want to now talk about are biases because biases live in that world that we just dove into in your

mind it's that part that you don't really have a control over especially the implicit bias portion so let me let me help you understand this so biases are a prejudice in favor of or against something people objects ideas an explicit bias is something that you would admit it's it's something self-reported it's essentially a belief you hold for instance a very common well i won't say common but probably commonly known bias um you know someone might say well i believe men and women are equal but women are built differently and their minds work differently so therefore they're not suited for certain positions and you know what men aren't really people people they're not suited for that they're

analytical so they really shouldn't stay at home and do any of that kind of work because they're men they're just built differently we're equal but we're just built overly that bias is an explicit bias it is self-reported implicit bias is not something you would even know to admit to it's not a belief you maybe even know you have an implicit bias though does affect your decision making because it's in that unconscious part of the brain that we just went into and it's something that you don't necessarily become aware of until someone kind of does something like this to make you aware of where this is um which actually is funny because there's some uh http not found so maybe

there's something fun there um so an idea of an implicit bias for instance so there was a nate there were some name studies that have been done a very interesting name study that was done uh is um i forget which institution did this but they essentially submitted loads of applications to um job postings and essentially what they did is they had job postings and they had applications and they had some male sounding names they had some female sounding names they had some culturally white european sounding names they had some culturally black sounding names some uh you know latino sounding names asian sounding names and i know that's an entire continent so there's all kinds of

different names that can go there but they did this they sent this to people but then you know what else they did they took some of the same resumes and just switched the names and they were judged differently just because of the name they didn't go oh well that has to be you know this person so i'm not going to do that they may not have had that going on in their brain at the top level but at the bottom level there was something about the name that biased them at the implicit level against that resume and caused them to downscore that now it's not like there's a 50 difference in scoring but it still is significant enough to

where you won't get a callback in fact i remember as an anecdote there was someone who was trying to apply to target and she's black she changed her name to a male and a white sounding name and sure enough got a callback immediately that's an anecdote plural of anecdote is not data but definitely the singular anecdote is not data either but that's just another illustration further of this phenomena that we have this implicit bias and by the way this wasn't just men that were reviewing the resumes this was also women so this is something that we all actually can have within us something else i want to talk about is fallacies and in order to understand

fallacies just a little bit there's two things that you need to understand about reasoning this is a syllogism it's a way of essentially arguing and laying out an argument to where you can say by the time the conclusion is cited that yes this is true so let's look at this premise one all humans are mortal premise two odd job is a human conclusion odd job is mortal okay there's two things that have to be there there's two things that have to be correct in order for this to not only be a true conclusion but a reasonable conclusion first of all the premises have to be true now we could go and talk about whether there are any immortal humans

walking amongst us if any of you are 25 and are actually 25 000 please let me know we want to run tests on you and keep you in a lab in area 51. um but if uh we do know there are immortal beings on this earth there's like little microscopic hydra um that literally don't age and don't die their cells reproduce perfectly every time uh jellyfish are immortal they don't die they just die when a sea turtle eats them for spaghetti you know that's what i was watching a video that the other day i said this is beautiful oh wow this is actually horrifying depending on the perspective um so so yeah so the premises look like they're

true great but not only that it has to follow now what do i mean by follow well we could also say a job is mortal which we all agreed upon in the last syllogism we could say all humans are mortal which again we agreed the premise of the last one but can we say odd job as a human because of the first two premises well i could be a dog and still be immortal [Laughter] right so it does not follow just because our job is immortal and just because all humans are mortal it doesn't therefore follow that odd job as human even if the premises are true so there's those two different things about logic that you gotta understand

here fallacious reasoning happens also at that base level that bias level that implicit level of the brain to a degree kind of hops up a little bit between implicit and explicit bias but essentially they those things really

Common Ground Track — BSides Las Vegas 2022

Related talks