The Infosec Survival Field Guide

thank you so much for having me thank you so much for getting up somewhat early and being here I see people yawning in the elephants already it's always a good science good sign to start off with um no I'm super excited to be here I arrived on Wednesday I was here for the entirety of yesterday I saw a bunch of talks I worked for another part of the talk and you're wildly gesturing okay so um right see on Wednesday I think the first day of the conference was amazing there weren't any keynotes yesterday though I didn't have a standard to aim for but it told me I could talk about whatever I want and they told me that

like he knows are usually non-technical so maybe like keep a bit of a contrast to the rest of the program so that's what I tried to do so I thought long and hard about what I was going to present on because usually when I speak I speak on penetration testing I speak on Red Team testing stuff like that it's usually very technical and I was kind of happy I didn't have to do that here so I thought I would talk about my experiences in the field because I've been around for a bit and I've maybe made an experience or two that might be beneficial to others that are working in this field maybe for not too long now

so I promise there won't be a lot of audience participation in this whole thing but if we could do this thing in the beginning really quickly and you could all quickly get up for me that would be really great you stand up for just a second because I want to get an idea of like what crowd we're dealing with so I know there is a large influx into the industry recently so I know a lot of you have been around for a while but some of you are newcomers so if any of you work in the industry for a longer than 20 years could you please sit down for me a handful of people fine if you

work in the industry for longer than 10 years you to sit down now all right it's still a bunch of people standing hello there if you're working in this tree for longer than five years please sit down now three years or longer okay if you start if you went into InfoSec this year less than a year please remain standing now okay so a lot of people you can all sit down now thank you so much for doing this with me so you can see there are a lot of people that are new to this industry there's a lot of fresh blood and I think that's amazing but I also think that gives a lot of

challenges I will skip that because we'll hurt you enough about me we're in this constant way for transformation right now I actually stole that graphic of the internet so I don't really actually know what creative destruction means but I know that there's a lot of stuff changing right now even if you look back 10 years a little bit more when the first iPhone came out and you compare how life was back then compared to now you can see massive differences people are now walking around with a tiny computer wherever they go and it's not just techies it's everyone everyone has a computer with them all the time and they use it for various things so we're

already using it for electronic banking we're already using it for online shopping but we're expanding on this now we're venturing into new spaces that you can use technology with in Switzerland where I live we're currently exploring the idea of electronic voting which is something that already exists in Estonia but now we want to do it in Switzerland as well you may or may not know that Switzerland is one of the few direct democracy in the world so we don't just vote politicians who then make for decisions for us we get to vote on everything like this is an actual thing it's in German I will explain this is an actual vote that was that happened just over a week ago where

we got to decide if we should incentivize farmers to have cows with horns it did not pass no special submissions we're not keeping Switzerland horny I guess excuse it bad it's the worst joke in the whole presentation I promise it only goes up from here but yeah so you can imagine that moving this democratic process to the digital realm is at the very least challenging if not so some people say impossible I believe as an industry it's our job to think in terms of doing things securely not saying no from the get-go but it's certainly a difficult task of your head off and I'm not saying that everything was better before we arrived like at this stage of

this transformational wave I don't think so I think we always had challenges I think there were always problems if we look at the voting example that I just brought before Switzerland introduced postal voting 40 years ago and it has most of the vulnerabilities that you would imply with electronic voting as well you can go and go to somebody's mailbox and get their voting slip and sign it and vote for them so you sort of abuse the system it just doesn't scale very well but it's not a new problem but we're facing new challenges we need new people in the industry to face those challenges according to Gartner InfoSec is a 124 billion industry in 2019 we're going to

spend 124 billion u.s. dollars on information security I haven't read the original Gardner report because I'm too cheap to pay money for reports but one of the key points was that about 10 percent of that spending is intended for privacy related activities which mostly translate to we we sort of slept into gdpr and now we need to catch up with that GDP are I'm sure you have seen talks that deal with the topic exclusively so I'm not going into it but if you have any doubt that there is still room for improvement with GDP are and the people don't know the bounds of privacy then I found the story this morning on Twitter it's about a company called

Sleep Number who builds microphones in mattresses that record audio from your bedroom to find out if you were snoring so privacy isn't dealt with yet and GDP are really does affect everyone more than you would think every day just wanted to have this in the presentation because it's funny Merry Christmas along with the industry our community has grown massively this map is a list of every P sites currently in existence worldwide and this is amazing to me because P sites has always been an event that was a free of charge be technical in its nature and free catering to an enthusiastic and excited audience that want to learn and share knowledge and I remember when b-sides

started these had started in Vegas with a bunch of people having was less than 20 who just didn't want to bother running around Def Con trying to find each other about the [ __ ] they were doing so they rented the house and they called it b-sides and look what happened then now we're looking at this and we're all here today because we have this massive global movement of essentially free content I was talking to a friend of mine who works in law recently they have conferences as well but instead of free you pay a lot of money and instead of knowledge you get access to papers that you didn't have to read on your own

it's a very different animal what we doing and we need those new people we need every single one of you in this industry because we have a lot of challenges we're not done yet sometimes we think that we're making a lot of progress because everybody else is sucking as well but I've been in presentations where people were trying to convey how well they're protecting their networks and then like weeks later I would see them getting owned in the most spectacular ways those are usually like conferences like RSA and so on it's it's not great we need new people in the industry we need more people to help us out and I'm excited you are those people I always ask myself why

people want to work in InfoSec and I can't answer this question for everyone but for me the red button is probably what got me into this tenhoff porridge was doing a keynote at a pro/con and he has a similar experience apparently and he put it very well he said that a lot of people see this situation with a red button and they're like well there is a red button somebody told me I should not press it there are probably good reasons for that so it would be a sensible choice not to push the button however hackers think a little bit differently because you have all these questions racing through your mind instantly what is the button for who decided that we

should put a sign that that says not to press it what happens if I pressed about me what happens if I don't press the button but I press it later what doesn't want me to press the button what happens if I press it twice what happens if I press it for exactly 47 seconds and then like go those are all the questions that raised for a hacker's mind right away when you are like this is the equation and I think a lot of us like have this curiosity mind frame I don't know where I have it from my best theory is that I haven't from account that he was a TV engineer back in the

day and he wasn't absolute nor it for model trains and what I learned from him at a very early age is that it's fine to mess things up because more often than not his drives would his trains wouldn't run but he would always find a way to fix it and I find that somewhat expiring he also had some pcs laying around at home by the way that's not me that's just a stock image of the internet but I got to think with technology early on and I think that's true for a lot of people that got into this field at the same time I have gotten into it and for me it was a very very young age and my

excitement Computers only became greater when I discovered computer games because obviously come on this is amazing small problem I was about 10 or 12 I didn't have any money and my parents weren't particularly excited about the concept of computer games because I was already not doing my homework so yeah so I think what every sensible ten-year-old would do I found some other kids that were older than me that had games and asked him to make a copy of those K copies of those games this being recorded right cool I'll get to that program was that even at the time there was some very basic form of DRM or I would rather say AR M because it's about as analog as it gets

does anybody seen these yeah those were sort of like a primitive means of challenge/response copy-protection so you got this code wheel with the game and they would show you like the face of a pirate made from two parts on the screen and you would have to recreate it using the disc and then you had to enter this number that correspond to any important event did that pirates life I don't know it's just a four-digit number and if you got it right they would let you play the game and if you didn't they would show a little note telling you hey thanks for trying you may buy another game now cool so um obviously this turned into an arts

and crafts project really quickly because what you needed to do is find a photocopier and a bunch of pins to like make your own discs and I found that more interesting in some ways than actually playing the game because I was like this is cool you can sort of circumvent that we ended up making an electronic version of the disc to sort of like just figure out if we could and I checked a couple of days ago and there is actually a version out on the Internet of that specific disc that is powered by jQuery which I'm pretty sure has more code lines than Monkey Island so that's cool so for their I was sort

of hooked on figuring out how things work so I decided well I like playing games so I want to figure out how to make games that was a bit more difficult because our library had exactly one book on hue basic if you remember Q basic that was a really shitty programming language but there were like these magazines you could buy at the store I don't know if you know that I remember that but back in the day people bought magazines and like they were this game magazines I came with the cd-rom and I had like this content on there that were fan-made games and text adventures I really liked text adventures because I understood how

they worked and so I tried to make my own I'm not presenting at e3 this year because I would be a shitty game developer so that's not what I did but it wasn't it was my entrance into like sort of coding stuff and then things escalated bad because a cousin of mine started studying computer science and he was like hey you'll like how to see how things work here half a debugger I was like cool so I got soft ice which is a does anybody remember soft ice by new mega bunch of people yeah it was a kernel mode debugger by new makeup that sort of active is loaded for Windows so you can debug whatever process you

wanted and for me that was a revelation like I didn't know what I was doing for the most part I got some instruction it was cool but like I didn't know what assuming but I was fascinated because finally I could see what the computer was doing when I was like interacting with it and that was for me the entire fascination but I got stuck really quickly so I figured out and needs more information so I went to my library where the time already had internet access and that was from me probably the most life-changing moment because I went online and I found all those people who were obsessed with the same [ __ ] I was like there are people who

like rote instructions and manuals and all of that stuff - how to like remove nag screens from shareware and like how to create a buffer overflow and all of these things that I found so fascinating and I never found any information on because it just wasn't around so I had the privilege to meet many people that were pioneers in this segment and that I still look up to today and that was a part where I was like yeah this is what I do want to do for a living this is where I'm staying so that's kind of what happened I'll cut this somewhat short I had my first job in an engineering company I'm not going to name in Basel

the guy I was working for was an [ __ ] that wasn't actually going to train me but sold me out for a lot of money or to an external company I told him I wanted more money he was like Stefan the people the the graveyards are full of replaceable people and I was like okay bye and then I talked to a guy I knew from from a PBS system actually and he had just founded this company a bunch of years earlier and he was like hey we were actually hiring like our first employee are you interested so I was like so you're doing what again you're doing like fantasy and stuff like that and I

can get paid to do that cool sign me up so I did that I started to work with a bunch of nerds they don't look like that anymore it was a good fit because I myself was kind of a nerd I don't look like that anymore I was a good fit it was it was fun like we started working on these things we started growing as a company we are today less than 20 people and that is by design if you want to know why it's cool to have a small company that is sort of boutique level then go to the evening keynote today that Mario is going to give because I cut this entire part out of my

presentation because he's going to make it do it way better than I potentially could so why I'm showing you all this is because I think that my way to end up on this stage here it's probably way different from a lot of other people even people who enter the industry at the same time have the unique paths and now we have all these educational options to enter the industry we get to go to university and we have cyber security centric courses we have all these certifications that I think most of them are useless but nevertheless we have them there's so many ways into the industry now and I wish that I had a bit of more bit more

guidelines and knew some things before I actually entered and before I actually did I want to give you some examples one of them is a very common problem that I see in information security today is the entire concept of self reflection I think a lot of you in this room under estimate yourself some of you might overestimate yourself impostor syndrome I'm sure you have heard about it read about it is rampant in the information security industry it's rampant in other industries as well but it's very popular in our industry for a reason imposter syndrome if you don't know affects about 75% of all people the numbers are way higher for women for reasons and it's

essentially the fear the psychological fear that you are indeed not worthy and not able to do what you're doing and that you are going to found out via fraud any time now because you have a secret and you don't deserve to be where you are it's an irrational fear that a lot of people experience a lot of people most people actually at times and it helps to be aware that this is a thing we have but then on the other side we have a problem because in information security this is big because we are surrounded by very smart people we have people like FX or however Flake in our scene that are wicked smart Haroon mere did the keynote of the

Brooklyn as well this year where he said like if you're standing next to Halle var and you've you think that you're in fear because you don't know as much as he's does that's not impostor syndrome he has more brains in a small country and I agree with that like you can't compare yourself to people I've been in the industry for a long long time but you can't sell yourself short either again on the other side of the spectrum we have to do an in Kruger effect the during Kruger effect is this really really nasty thing that makes people very inaccurate in touching their own abilities so when you get into a field of expertise at the beginning you know

nothing and you know you know nothing because you're new to this but then you learn some things and there is this face in this cycle where you think well I think I got it now I think I've got information security down the problem is you don't because very soon you will notice that in fact you were mistaken and you realize how much you don't know so it's I think it's very challenging to find your place between selling yourself short and not having confidence in yourself but also not falling for this particular trap it evens out after a while and you get to a point where you're more accurately able to judge your own abilities the sad thing about

this is that this is not happening on a fixed time scale so you don't know if like this takes part over two years five years ten years twenty years in fact there is evidence that it can take very very long indeed very very long to get over that hill right I was I had to smile at the unhackable wallets well yeah and worst thing is like this works like there are so many people who just are like this guy is amazing he knows what he's doing he didn't AV software it's great anyway communication is a big thing communication outside your bubble I love talking to hackers I love to like talk about technical stuff like you know

details I loved Steve's talk yesterday about the fire or the firmware stuff just because it's exciting it's like it's techie stuff is cool but most of the case in most of the cases we need to acknowledge that we're not existing in a vacuum so we need to learn to talk to other people outside of your pub of our bubble people who run businesses people who do process work people who do a chore work all of that stuff and we need to ask the right questions for example why are you all wearing blue hard hat helmets in a meeting room I don't understand maybe that's something we should talk about but anyway so you have to acknowledge

that but you might hate meetings they're usually your one chance to interact with people who are in a very different space than you are and to bring you a few points across so one of the things I wish I learned earlier is to properly prepare meetings myself so it's not a waste of time and so you can actually get your points across quickly and effective and sometimes it's hard because when you talk to people who don't have a security mindset and that are all focused on on shipping the product or all focus on getting some new feature into an app or whatever it gets annoying sometimes and where to InfoSec people go when they're annoyed usually

right Twitter so I don't know if you call the a couple of months ago the t-mobile eighty incident we also call it Cathy gate know so what happened there is customer was in contact with the Service Desk of t-mobile Austria they asked her for the forest for chores of her password for revocation purposes the person was very confused because she had some technical know that she went to Twitter she was like um you're asking me for the first four hours of my password so that assumes that you can verify it against something which then assumes that you have my password in clear text that's like Occam's razor sort of dictates that and the person here

Andreea very friendly said like yep that's the case we need those for char's so InfoSec twitter obviously jumped on to this and they were like no you cannot do this because this is dangerous and actually it was very respectful at this stage people are telling them like cannot do that that's not fine and then cat the entered the picture Cathy is another customer rep and she was like well don't get the problem we secure all your data very carefully don't worry it's fine because that's what Cathy is trained for she's a social media room she's not a security engineer she is not in any way interacting with security probably which is the core problem but

she jumped on this and she was like nope that's oh great people started to get annoyed people started to explain to Kat that you know you should hash passwords with salt should salt them you should store them encrypted all of that but Kathy was not listening Kathy was getting patronizing was saying well you're saying that if we store you clear text passwords in clear-text they could be stolen but what if you don't get compromised problem solved no problem at all because our security is amazingly good now look I get that this is funny and I think it's funny myself but the problem is that we have sort of this knee-jerk reaction that we are like well you're

stupid you don't know how the security works so you are now part of our sacred circle and you are not worthy of like you know having a normal discussion with and what happened after that was actually quite ugly because people got upset more upset than ever before and because Cathy wasn't listening people started poking around two more at the team bone pile a T Network which is unfortunate because like this robot CAC file doesn't look too good there was cross-site scripting in there amazingly good security obviously and a bunch of other things that I chose not to include this into this presentation because they were sort of critical hey wizard and also we now have we now have

a parody account in Austria it's sort of Austria's response to Swift on security so it's Catalan security again I get why this is happening I understand that is funny but can we agree that this is not the best ready to solve this situation generally yeah no maybe and this is a pattern that repeats itself over and over again just a couple of days ago this happens icon direct is a German financial Institute they posted this thing I translated food so the on the bottom be an error message that says it's essentially like certificate this invalid or expired or wherever whatever with the custom text and above like comdirect communicated on twitter hey if you're getting this message that you

connections insecure don't worry it's a problem on our side you can ignore this [Music] and I get it like for their reasoning it was fine because they wanted to maintain operations they knew their certificate was expired on the server side so they were like yeah we going to fix this no worries I don't think they realize that they're teaching people all the wrong lessons by saying that but like I think that's that's not really their fault again it's the case of bad communication they apologize two days later there is no parity account this time at least but like it's you can see that the mismatch between the people who have to communicate towards the general public

and the people who do the security within the companies are still way too big we need to close these gaps what cat should have done after the first time somebody came and were like hey what you're doing is [ __ ] is run along get somebody from the security team and have them take a look I look at the feedback rather be safe than sorry and be like okay we'll look into this we'll maybe like come back to you with an answer within a couple of days could have a right word to the shitstorm but on the other side it was funny so it's fine when you communicate to people I found the best common language and

terminology to use his risk generally that's what tech people and business people can agree on because risk can be measured in likelihood and impact impact can be measured in currency and that's what people understand so whenever you can I urge you to get acquainted with risk as soon as you can and with the concepts that are behind risk if you can use a framework that already exists to assess risk even better there is literally nothing worse or cringy to me than sitting in a room with somebody who's explaining security problems but is not able to quantify the risk that comes with it not because it's too high but because they like perspective it doesn't work stuff doesn't get fixed

so if you want to get your point across this is the way to do it another thing that is wrong for a very very long time is I think I didn't manage to stick to the things I was strong at and I always tried to sort of be a general practitioner I want to be able to do most of the things we had to do within our corporate setting and that's generally a bad idea if you're an amazing reverse engineer go and reverse engineer don't try to be an amazing web app Esther don't try to be an amazing Red Team operator it's fine to have your niche but there is one caveat and that is like sometimes you don't know what

you're passionate about sometimes you don't know what you actually want to do in your career so I'm not saying don't branch out and try new things but don't invest a ton of time trying to be good at everything that you find because chances are that you have certain talents and certain passions and they don't are not all-encompassing they go don't go through all the disciplines that we have in information security so for me that was sort of hard lesson to learn because of the stuff that I explained earlier with imposter syndrome and so on I always felt that I need to be able to partake in any conversation about any InfoSec topic in any context

which sometimes it's just not feasible but again branch out and I encourage you to do this very very actively so but I would encourage you to do is locus sketch at the schedule for today and pick the talk that is most obscure to you it's probably this keynote but maybe it's something else it's the most obscure to you and the best case scenario is you don't even understand the typo that's really the best you can ask for and go to that talk and see what it does to you because it's amazing a button reaction you can get from your brain when you expose it to things that you have no context with that you have no

prior knowledge with and that might be something that might be your next big thing that you pursue to encourage you to do this if you don't do it here at least watch a video of some stuff you don't understand but if you do it here pío air you can go and you can talk to the guy presenting it and you can ask him all the questions that you didn't get and then maybe you really get a new field of expertise that you think you could like working from henceforth generally I think it's a great idea to get acquainted with your own brain a little bit more also something I sort of missed because I didn't go to university

because of the way I came in the industry that wasn't in the cards for me in Switzerland we have a dual model of Education I went in from the practical side so I never really had to learn how to learn which is a bummer because our industry contains a lot of opportunities and a lots of demands for learning so it would be good to be acquainted with that there is this amazing course on Coursera with the same title it's called learning how to learn and it's amazing because it teaches you all these techniques on how to retain memories on how to build new connections in your brain and like acquire knowledge and this has been a

game change for the way I approach new material and I've gotten way more effective for me this is a bit of a special topic anyway because I got more or less recently diagnosed with adult Dadd which you know gives you a bit of context about certain behaviors that you may or may not have had for years and years before and gives you also some tools to work with that it's probably the cheesiest picture out in this presentation I apologize um the one thing I would really change if I could do this whole past 50 years again is I will get a mentor way earlier this field is so amazing because it is young it's so amazing because those people who

built those groups I showed you earlier in this presentation are still around and when you send them an email with a specific question that isn't particularly dumb you will most likely get an answer like you can write an email to field or about nmap and he will respond to you that's amazing so when we did this thing at the very beginning of this presentation where I made you all stand up and you sitting to somebody who sat down very early in this process maybe that would be a good person to talk to in the coffee break maybe that would be a good contact for you to learn more about the specific topic that you might not be very invested in at this

point I certainly made a lot of progress from talking to people I looked up to people like effects for example who taught me so much about this whole industry that I can't thank him enough for it and I think like we should try to share these experiences we should try to be kind to each other and give knowledge freely because we in an arms race with criminals we are in cons on the constant pressure from business demands and all of that chess so I think it's important that we are efficient and effective about this and look after yourself we are on the disconsolate our lives are stressful as they are we don't need like InfoSec jobs for that we

are already under a lot of pressure with family with all these demands but our jobs tend to be more stressful than a lot of jobs in other industry I don't think a dairy farmer despite like his election struggles that we looked at earlier I don't think a farmer as much stress as the average InfoSec person so I want to pluck this really quickly this is an initiative launched by Amanda Berlin a good friend of mine she's on Twitter as emphasis here you probably follow her some of you and she found this thing called mental health hackers which is all about sort of promoting awareness about mental health issues that are prevalent in our industry it's all about dealing with

depression anxiety stuff like that and I urge you to check this out we are all part of such an amazing unique industry and despite the fact that we tend to get very defensive about things that despite the fact that we are sometimes very very cynical about what we do and how we do it and how other people don't do what we tell them to do and that stupid because we know better right I've always felt like the security community was a family to me and every time I come back to Abbey sites and I've never been to besides this one before I never made it out but every time I come back through a conference like this it's

like coming home to a group of friends and you talk to people like you know them for forever and you get so much so many new ideas so much more new inspiration and I think that's our greatest asset that's what keeps us sane that's what keeps us inspired that's what keeps us going forward so thank you so much for giving me your time this morning thank you very much for listening to me ramble for the better part of an hour I hope you can go and get you a coffee now if you have any questions about this I'm happy to answer them now otherwise I'll be around for the day but keep hacking keep being awesome thank you besides

listen [Applause] you