Does DoD Level Security Work in the Real World? - Jeff Man

okay welcome everyone the 11 o'clock talk I'd like to introduce Jeff man I first talked I think I won't do justice for his resume so I'll let him take that off as he introduces his talk here does the DoD security work and the real work so for everyone Jeff man okay hi everybody somebody take a picture me like it's really cool I'm teaching at Harvard

slidebar some of the dumbest people I ever met and I hope there's none in the room that I offend our Harvard Business School graduates just saying good way to start I don't want to start with a quick survey you know show of hands yell or whatever does DoD security work in the real world how many people think yes wait for the options in both don't know they're waiting for me to tell you and area

we can do that why I asked this question just real quickly just to frame it just because what put this question in my head years ago actually happened not too far from here it was a customer I had eight or nine years ago in the Boston area shall we say and I actually have to blame it on PCI I was there as a qsa I was doing there PCI compliance assessment it was a large merchant that is located about 30 miles west of Boston you do the math and I was spending an afternoon explaining them what encryption meant what it meant to protect data at rest data that's being stored and we were going through kind of all the different

options and because I'm an X cryptographer of NSA I kind of geek out a little bit when it comes to things crypto so I was probably giving them more detail than they really wanted so at the end of this long explanation which I thought was really a good thing I was giving them a lot of detail on what all these things meant they said yeah that's nice but we don't really need DoD level security so that's kind of the birth of this talk you know I think the what they said was we sell women's clothing you know why do we care but I actually have heard this time and time again over the years of my

work especially in the PCI world Midwestern companies but you know the Midwestern mindset is you know we're just family here everybody gets along why would anybody steal things from us and and you have different mindsets for different companies three years so really honestly this this this statement that this person said eight or nine years ago is stuck with me which can be disturbing at times if that happens to you I don't know maybe there's treatment anyway my name is Jeff man I you can find me most easily I'm often on security weekly and one of the co-hosts I was recently officially endowed as a promotion what do you call it when you get ordained whatever they used to work at

NSA as a pen tester another talk another day I'm a Crypt analyst actually a cryptologist I did I worked both sides I broke toads and I actually designed codes at certain points and I'm sort of currently unaffiliated if anybody's hiring hire me the the the masking thing that was actually a job that I did when my PCI customers actually produced food and to get to their office we had to go to the factory so I had to Don that stuff so I thought it was cool anyway moving on I've been in the business information security business for going on 34 years now raise your hand if you're younger than 34 34 or younger so imagine your whole life

I've been doing into the suck so hold that thought tell you a little bit about my my most recent claim to fame there was a book that came out last year called dark territory has anybody heard of it read it by any chance the fourth chapter is a chapter called eligible receiver eligible receiver was the first massive coordinated pen test that NSA performed against its customer which was primarily the DoD happened I believe back in 1997 which was a little bit after my time but in that chapter there was this paragraph the NSA had a similar group called the red team it was part of information assurance bla bla bla bla it was stationed in Phoenix which they

misspelled friendship airport by the way is BWI case anybody's ever been to the Maryland area during its most sensitive drills the red team worked out of a chamber called the pit which was so secret that few people at NSA knew it existed sounds ominous right I actually worked in the pit I was one of the original members of the pit the pit was simply our office and this is the fanox complex that which is just west of the BWI Airport that wrote up in the top is what you drive into to drive into BWI if you've ever been there and a little my fancy laser Porter pointer all these buildings at some point or another may or may not have

been affiliated or are still affiliated with NSA and the pit was right there in that building band x3 as I jump into this talk I do want to dedicate it to one of my oldest friends and one of my mentors somebody that watched over me more than I even realized as I as I came to learn recently she passed away the venom has been a month now a couple weeks is it three weeks she was one of the people that was responsible for setting up the pit and having the idea that NSA should do pen testing and read the whole idea of testing the security of our systems our customer which was the DoD primarily

classified systems before the bad guys could get to it was a novel idea you know almost 25 years ago she had a lot to do with that we called her mom she was our den mother and she passed away so this is dedicated to you Becky deep breath diploma burp all I actually started my career in 1984 and technically I didn't start at NSA my very first job was a summer intern job between my junior and senior year of college at what then was called the Naval Surface weapons center which was also a facility in Maryland not too far from where I lived my mom was actually in personnel in HR so she helped me get

a job as an intern thanks mom well I was technically not allowed it worked out really in my favor I wasn't allowed to be an intern because of the Neptune if it is Amul but I was allowed to be hired as a temporary employee and so at the end of the summer I didn't like stop working I went on leave without paying I came home at Thanksgiving and Christmas worked here and there and then I had a job immediately after I graduated and I worked there for several months until I ended up at NSA thanks for asking but my very first job I got I was working for a physicist that did any submarine warfare that was what he did

it research on and he had gotten some money and would end bought this one of these newfangled devices called a desktop PC I'm pretty sure that's the model I was using and he hired me because he had this filing cabinet that's locked safe that was filled with as it turned out about 25 30 years of research reports white papers documents books anything that he was able to collect on any submarine warfare you know I was a young young college student 20 hello was a in 1984 22 and when I started with him he said well I need to explain to you what any submarine warfare is and probably the best way to explain it this book came out recently

called The Hunt for Red October just read it it's what we do so my first week on the job working for the government I got to read a book I thought it was really cool so that was my job I went into this safe and for the people to raise their hand because they're younger than 34 I found documents in this safe that had been checked out of the technical library of this research facility before I was born so I had one of those moments wasn't quite as long as only 22 years but I'm like wow this documents been sitting in this drawer in this safe from my entire life so it was kind of weird but

my first experience in security really was that I committed a security violation and I came in one morning you can read it there and basically I had left the safe unlocked and I was like well what's the big deal I'm I'm in a building that's surrounded by barbed wire fence no not anybody can get into the grounds to get into the building you have to go past security and I don't think we had that exact turnstile but you get the idea you had to pay you had to get through somebody the office that I was in had a lock on the door and you know you had to know the combination to get in and security

actually walked the halls at night they would roam around looking for bad guys and people sneaking in and you know burglars and whoever which is how they found that the safe wasn't locks because they would go into all the offices and try all the safes and how I discovered that I had a violation was I opened the safe because they had locked it and there was this pink slip of paper saying come see us at security and never and it's a big deal so I was young I was naive and I thought what's the big deal you know there's all these layers of protection who cares if I left the safe online so remember that so

this DoD security work in the real world if I'm going to have a conversation we need to start with maybe defining some terminology okay so I think a lot of people when they hear about DoD level security they're thinking well that's just some you know nth degree of security you know no holds barred on the amount of money the amount of investment you can buy all the tools and multiples of every types of tools and technology and and sort of the sky's the limit but that's not really what I'm talking about I might know what movie that is by the way very good the the DoD type of security that I grew up in especially at NSA it had many many

disciplines and I just tried to capture a few because I thought it'd be a cool slide to say now what are the different facets you know some of these were there when I was there and of course we have to have cool abbreviations for everything in the DoD so COMSEC is communication security basically all this extra security intelligence there's signals intelligence satellite intelligence communications intelligence electronics intelligence so on and so forth Tempest is emanations if you've ever seen pictures of the campus of NSA there's a couple buildings that are kind of mysterious and black and big huge squares there they're actually built copper-clad the entire building is tempest protected - somebody had the idea why we just

build the tempest protection the emanations protection around the old building and then we don't have to care about what's on the inside whether the the monitors bleed and project a hundred feet which they may or may not do then and now in the early days they were really bad anyway there's a lot of different disciplines when I'm thinking DoD level security I'm thinking about all these different types of things transmission security you may not know what somebody's but if you're a SEAL team and you're deployed in a country and the adversary can figure out where you're broadcasting from bad things might happen to that area so there's different facets and there's different elements to DoD security

but in trying to describe DoD level security one of the things I learned early in my InfoSec career was this concept of a risk equation now there's many many risk equations out there if you google it a friend of mine just went to a doctorate program she probably had to learn a few risk equations and this is probably bringing back painful memories but I try to reduce things down to the basic elements and the basic element of the risk equation is there's some sort of fancy function that you can apply but it has to do with vulnerability sort of what are the weaknesses the threats who are the bad guys that are trying to get

you and what you're doing to prevent or protect yourself against it what we used to call countermeasures this all rolls into you know whatever you're doing or not doing in terms of securing your environment gives you with some sort of value of risks in the DoD this value again simplifying things most often has to do with human life the concept of national security to contest the the context of protecting our troops protecting national interests protecting our allies and so forth the spies and agents and people we've recruited that are giving us all this super secret information that we have to encrypt all that kind of stuff oils down to basically you can think of risk is a quantity of human

life so remember that as I said you know the parameters of risk if you ever go to a trade show I'll go out and ask some of the it's for upstairs that's one of the companies are out there that are talking about risks and threats and vulnerability to simply define the term you might be surprised at the number of answers you get the diversity of answers and and you might even be surprised at how some of the answers overlap but if you recall and my big pet peeve I get on pet peeves anybody else get on pet peeves and rants but a lot of people talk about threats these days when they're talking about risk and they sort of equate the two

risks and threats are the same thing no there's a risk equation threats an element don't you guys get there anyway elements of a risk equation also to in terms of InfoSec you know this is sort of classic nothing new if you've been to school and learned in your history books this is what it was all about back in the day it was data security that's why we lock things in a safe and the the three concept of protecting data has to do with confidentiality integrity availability we called it CIA because everything has to have an acronym and it's basically can you somebody steal the data can somebody alter the data can somebody make the data not available now

interesting in our internet-connected computer world there's a few new variations that have been applied to this talk about that right now I used to be a cryptographer I used to design systems my first assignment was working for the manual cryptosystem shop for NSA so on the intersect the defensive side so we used to deal with one-time pads and as far as I'm concerned it's been downhill from there the one-time pad is unbreakable if you want secure communications that nobody can break use the one-time pad use it properly use it once that's that's the one-time part of it but it doesn't get any better than that so as far as I'm concerned in the last 2530 years we've taken perfect security

and watered it down because we've started to apply a machine cryptography computer based cryptography because we want our information fast and we want to transparently and we don't want to know that there's things going on behind the scenes and we don't have to want to have to deal with keys and all that kind of stuff we just want our data and we want it now damn it we need to go back to one-time pads anyway so you remember at the very beginning I said you know this person that talked to me eight or nine years ago we don't need DoD level security that's always haunted me and especially in the last couple years and you know I've gotten lots of excuses

and you know you might be thinking of some of these excuses already usually when we have the discussion of how DoD level security works or doesn't work money comes into play the complexity or the perceived complexity of you know we can't afford to do all the different things we're you know we're a different type of shop or why should we care we're just a grocery store we're just a restaurant we're just a convenience store whatever it is and really those companies in their defense a lot of companies that are out there a lot of organizations until they plugged into the internet really didn't worry about security and data security they didn't have to but your brave new world you

plug into new technology and you sort of have to be a responsible corporate citizen and internet citizen because you know by plugging in you're you're assuming some sort of risk and and not so much anymore but I really had customers they're like well you know who would dutch sucks nothing nothing bad has ever happened to us and that we've never had any problems before this too is actually this is a sanitized network diagram for a company that was a PCI customer actually again a boston-based company I didn't intend that but the red circles up there are supposed to be the card data environment PCI says put all your systems together in one environment and protect it and

keep it safe from everything else they don't require it they recommend it it's called Network segmentation that's clear as a bell right there's no no crossover you get the idea yeah I mean you know there's not a lot going on here what bad could happened so what if you're just selling women's underwear you know there's big boxes over there mainframes and all that kind of stuff these are representatives retail locations they do things a couple ways so on and so forth even that's probably eight or nine years old I'm sure it's a lot better now but in the last couple years as this person what they said and keeps going around and round in my head I and

especially you don't have to go very long days weeks months in fact this slide you it's hard to keep the slide current but you know for all the breaches that continue to be happening and the large companies and the companies we thought that were doing things right or should know better government private sector even security companies even some of the products we use I got I got a chance to throw in words so this is current it also updated next week I'm sure but you know all these things happen and I as a security professional that's been in the business for 34 years going on 35 have to do some soul-searching and ask myself we as a

community we as a culture we as a society we as an industry are we really doing anything better you know if we think we've we think we've advanced if we think the technologies advanced and all the stuff that we're doing is so good why does this still keep happening which is why we have conferences and we get together and talk about it things that I learned both from the DoD and over the course of my career in the private sector these are the typically the reasons why networks are insecure why your why your your enterprises insecure and this is not new information this is actually a slide that I use probably 20 years ago trying to teach people if you're going

to connect to the Internet in the early days you need to have some someone to the security program you need to have policies you need to have rules you need to write them down and you need to follow them and but you know that all gets wrapped up in people don't want to do that they just want to buy the technology they don't have the institutional knowledge they don't they don't really understand this whole security thing they don't understand the technology stuff they're just plugging it in using it and money is a big factor you know that's that's true so the point of all this is as I look at the world today and how things continue to be insecure and

if you listen to enough talks you sort of come away with Wow everything's just incredibly broken and keeps us employed most of us not me it's weird how that works out but you know I wanted to look back in my career and look back on the things that I'd learned in the DoD level security especially the things that I don't see necessarily being implemented in the commercial world in the real world and explore a few ideas I'm not saying this is the answer I'm not saying I've got the answer I'm just throwing this out as a conversation starter so feel free to agree that feel free to disagree feel free to dismiss what I'm saying because

I'm too old and don't know what's going on whatever I just want to throw out some ideas maybe to just to get us thinking about is there a different way of doing things and maybe we don't maybe the point is we're not we don't need to come up with something new maybe we need to go back and do some of the things that we know we should have been doing all along but for various reasons we haven't

so the fundamental thing from a DoD perspective on the approach to security is it's really about data it's it's it's about information my favorite movie one of my favorite movies think well I guess it says it right there I do another talk where I have a lot of movie slides and make people guess what it is so yeah and who are the actors and I remember their name but you know there's a scene in this and it's toward the end and and then these guys used to be friends and they used to hack together in college to take oh they were Harvard or MIT I forget what I think they were let's say they were here

at Harvard but maybe not maybe it's Caltech or something but you know they're having a conversation towards the end and they're talking about how in from you know where the world is it were I should have been memorized I don't and and but the war is not being fought with bullets it's all about the information so again it's all about the information the approach to security from a DoD perspective starts with we have a set of information we need to protect it that's where it all starts the risk equation that I've discovered how it works best in the real world is you got to start putting dollars and cents on it the risk factor whatever that mythical number

that you come up with that is involved with whatever algorithm whatever formula you want to apply and I try to be simplistic really in the commercial world vault boils down to a dollar figure remember the DoD version is human life in the commercial world it's a dollar figure that's a significant difference in terms of the approach to security as a practical matter and I acknowledge that I'm not saying I have a good answer to get beyond that but you know there's vulnerabilities out there I think we all agree and and a lot of this business worries about getting rid of all the vulnerabilities and keeping ahead and plugging all the holes and some people call it whack-a-mole some

people will think of the the little Dutch boy trying to plug all the holes in the dike I sometimes think we should just acknowledge as a community that the vulnerabilities are here maybe we should look at some of the other elements of the risk equation maybe we can get more traction there but again just simplistically it's all about dollars and cents when you apply it to the commercial world so what can we learn from DoD level security one thing that I've noticed is we tend to in the commercial world we tend to treat everything equal we focus on the security of the network we focus on the security of the systems and the data that we're trying to protect as

organizations either we don't even really understand what it is what we have in terms of data and what's valuable or what's not we don't know where it is stored we don't know where it's processed and we don't know how we get it in we don't know how it goes out we as an industry tend to focus on the systems the networks and not necessarily the data I mean I had PCI customers what's PCI its credit card security why am I here credit card security I've asked them what's our goal here they couldn't answer the question I think they thought it was a trick question but it really wasn't in the DoD and we don't need to go into details you know there's

lots of different variations of this but there's a concept of different types of data have different value and different types of data have a different life expectancy and the best way I can give you an illustration is if you've seen a war movie especially like Korea Vietnam maybe some of the later movies where you know a Ground Force is deployed somewhere and they're being attacked by a machine-gun nest or you know the bad guys out there somewhere so they want to call in an airstrike and they're calling in coordinates these days they'd probably be GPS and it's a lot more accurate but imagine Vietnam there's they're giving grid coordinates latitude longitude you can imagine that the accuracy of that

information is very important and it's very important to make sure you're giving the coordinates of the people that you actually want to have the bombing or strafing run done and not the good guys so that information is very sensitive but that information is only sensitive for maybe a half an hour because once the bombing runs been done whether that it worked or not it's kind of moot that the coordinates were sent out get that life expectancy we don't have that concept I think for the most part in the commercial world with the exception maybe financial data financial records have to be retained for X number of years but even again most companies that I've worked with over the years that have

that retention requirement they don't know that it's okay to get rid of it after seven years most companies just Hendel tend to hoard everything because they never know when they're going to need it and don't even get me started on email retention that's a whole different story so there's this concept in the DoD of different data has different value I don't see that a whole lot in the commercial world so I throw that out as an idea of maybe that's something that we should consider maybe we need to look at our systems and networks and try to figure out what we're actually dealing with maybe we should try to understand what type of data what time it type of

information we have and assign some sort of value to it now yes a lot of companies have data classification but it's usually in most cases and raise your hand if you've seen an exception it's usually you know public unclassified or company confidential I mean it's it's usually binary and again it's like we have to protect it at all costs we don't know why or for how long but we just know we have to do it or yeah it's ok the light out there the concept of security and depth this is not a new concept this is a aerial view of a city I went to States in Italy and the city was building in like

medieval times you can see that there's layers there you can imagine that the the the king or the ruler whoever was the head guy you can you can figure out where he was in the time of conflict and the whole idea is and again this is not a new concept we talk about network segmentation we talk about security and depth but I don't see a lot of companies and organizations talking about it from the perspective of it's okay for things on the perimeter to kind of go by the wayside I think you I wrote a blog article a couple months ago talking about the whole concept of perimeter security which is really what this is an illustration of especially in

the early days plugging into the internet internet bad corporate network good you know and you worked your way in so you have this concept of demilitarized zones and you work your way in with increasing trust let's kind of gone now because where the heck is the perimeter these days when we've got clouds and we've got mobile devices who knows but the idea of segmentation I still think is important to consider especially if you've figured out what your data is and figured out some data is more or less important than other data maybe you want to put it in different places but the other thing too is there was a concept at least when I was at NSA applying this principle of

security and depth is your systems don't alternate ultimately have to be secure forever your systems have to be secure enough that it's more costly in terms of time and resources to make it worthwhile for the bad guy to go through it to get to it and that's a weird concept that I don't see a whole lot in the public sector the idea that just you know we used to measure the veracity of a system its value by the it used to be the gross national product nowadays of course domestic product whole nother talk to discuss about but we would say okay we have a particular adversary guess what was in the mid 80s for early 90s and what's their GNP and

how much of that GNP would they dedicate to going after this set of information and we would calculate this is how secure we needed to be we needed to make it we needed to make it harder you know go through a bunch of Hoops go through a bunch of Hoops the hacker the bad guy he's going to get bored it's not what this is time and effort he's going to move on go back to the the story that I told at the beginning my first experience of security which was you know being insecure and learning a valuable lesson you remember I said you know there was all these protections but as I look back on it over the course

of my career what I realized on reflection is what there was when I worked at this this this Naval facility this naval research base way back in the day was that there was a culture of security everybody understood their role everybody understood the rules everybody understood the importance of following the rules and everybody understood how they all work together so yes there's a perimeter fence and that perimeter fence had security guards that would drive around and why and inspected periodically make sure nobody cut holes in it it might have had cameras on it depending on which organization I worked with over the years it might even be motion sensors or detectors built into it different

associated countermeasures and with all the countermeasures different processes and different rules same thing with the with the the front desks one of the rules at NSA was you know there's always a security guard watching you go through the turnstiles in the early days we didn't have turnstiles but we had a picture badge and we had to show it and you know face saying face saying that was the security guards you know tasks we went to a period I think was during one of the conflicts where they thought the guards had gotten lazy so they just they had to touch the badge and some of the guards didn't like that so they got these little magic wand things feel like

they ripped antennas off their radio so like I touched your badge and it lives it was weird but the point was they followed a prophet they followed a rule even though they kind of took liberties a little bit you know and the whole idea of having locks on the door sometimes there was double locks you know the pit had super-secret double layers if you believe that the book which I will neither confirm nor deny but you know change the change the combination periodically I remember when I won't say which office or when but they changed the combination it happened to be this the score of the Super Bowl that year because there somebody's favorite team

had won the Super Bowl yeah whatever changed the you know good passwords you know unguessable and all that kind of stuff again processes there's things built into it and even the security guards one of the things that was very true especially at NSA would they would rotate the security guards on the regular basis not to give him a break not to relieve boredom because but they didn't want the security guards to get you know get to know you on a personal level they didn't want facial recognition hello Jeff come on in you know I've seen you come in every day for the last three years I don't know that you were fired yesterday and walked out

they don't want that to happen so they would rotate the guards to try to reinforce the fact that the guards needed to look at the badge match the face touch it during the time that they had to touch it even though they could use the magic wand I have taught for many years and I learned this in the DoD and tried to bring it out that you know security when you when you start to take a programmatic approach to it it's really a life cycle it's really process I like to talk about how security is something you do it's not really a state that you achieve and in doing it requires all these processes all this working together all this

things in flow and in the early days we came up with five steps probably because and this is before when word had all these things available or power panic we had to actually make this one so again you know in the early days it was let's start by assessing the situation we were sewing pen tests and vulnerability assessments you're plugging into the internet but you have this existing network let's figure out what's wrong and fix it and and once we figured out what's wrong with developing strategies let's write down the rules implemented so on and so forth well we've advanced a whole lot now we've got so five steps and they've been changed a little bit

but it still figure out what's wrong so on and so forth so is this better is this a proper application I'll leave that for you guys to decide but notice the data is considered an asset class to me data is the asset and everything else rotate is rotating or revolving evolving revolving around the data so maybe I don't agree with that one UK it's up to you again security is a life cycle it's something that you have to do and you have to start somewhere I think most companies today are doing something already I mean they've been in business a while they've been on the internet for a while they've been doing a security thing for a while to some degree or

another so the whole idea of starting off and assessing maybe as a moot point but I still maintain that if you don't know what you're doing if you don't know what your target is what you're trying to protect and where it is and to what degree you need to protect it maybe you're setting yourself up for failure or can we at least acknowledge that the whole idea protect everything to the same level at all costs isn't really working we could flip back to that slide for the hacks of the week the last statement there I'm pretty sure I have to give credit I bet that's something I heard Marcus Ranum say probably 20 years ago when I went to one

of his talks in case you don't know who Marcus Ranum is we've caught about that last night he's effectively considered the inventor of the firewall the godfather of the firewall he built the first firewall and he acknowledges that he built it wrong but he's still famous for it but he you know talked that I went to 20 years ago he was talk about building a firewall policy how do you know what rules to set on a firewall if you don't have a policy to set of guidelines a set of goals so security yet without policy is simply technology so throughout some sort of semi random thoughts just to try to continue to pique your interest hopefully and spark

a conversation I think the whole security industry is as much to blame for the things that we've talked about in terms of the challenges especially the whole money thing but in no particular order I think customers and I've had this experience many times where I'm trying to explain the process and and the cycle and they're like yeah yeah we don't need that just tell us what to buy and where to put it and what does the blinky lights me and I don't want to think about security I just want to know I've got X in place and I'm good in the early days I've got a firewall so I'm good right here I've got antivirus

installed right so I'm good you know in the list goes on and on in to some degree you know vendors run the industry in to some degree it's not their fault but you know the companies that do look to someone to guide them or advise them about what to do in terms of investing and and building security they naturally turn to the vendors because that's who's calling them 20 times a day or sending them emails and spamming them and so they finally take the phone call and they hear what they need to hear about this is what you need and by the way I'm selling it and it all works out I should add that bullet point that that's

a whole nother maybe this is why I'm unemployed I think there's too much focused on the technology hopefully you've gotten that feel to me it all starts with the data the data happened to resides on a lot of technology and it's and the technology is important the technology's not going away because I don't think most people are going to go reverting back to a one-time pad taking four hours to write out one page of text they want the streaming video and constantly updating their pictures and snapchats and all that kind of stuff and I mentioned it earlier you know I think sometimes we're focusing too much on the vulnerability that certain keeps certainly keeps a lot of us employed and

it's certainly important I'm not saying it's not important to understand what the system's vulnerabilities are but can we acknowledge that they're not going away that we're never going to get to this point where we're done because as long as we're implementing technology there's going to continue to be vulnerabilities so maybe just maybe we need to focus somewhere else and that's related and I might not make a whole lot of friends with this but I think a lot of that has to do with penetration testing because very often the penetration testing that goes on today is focused on finding vulnerabilities penetration tends testing when done correctly and you can watch our episode 500 unsecured T weekly we had a panel

discussion on this should really be emulating the threat it should really be a fire bill it should be trying to act like the bad guys and see how well they do it breaking in or not and see how well you do it detecting their activities at the pen test that's what a pen test should be and I mentioned that earlier nobody seems to understand what the difference between risk and threat is they think it's synonymous so the DoD gave us lots of really really good guidelines on how to to secure computers and systems and by familiar with this know what it is you guys don't count it all it's called the rainbow series that all started with the top left

corner the what was called the orange book cleverly because it adds an orange cover and I want to say that came out in 83 was a fine 85 and what was funny to me the first time I was handed the orange book was and when I first started there was maybe 10 books in the series maybe only eight but the the second book in this series was probably twice as thick as the orange book and its title was a paraphrasing because I hadn't seen it in 25 years but is basically how to understand and interpret the orange book and it sort of went downhill from there so if you think that's over-the-top and overkill and useless and how does that

apply to the real world I give you this I saw this on LinkedIn a couple months ago and you can if you search for a C so mind map you can google it and zoom in and read it but for all the small print that you can't read assume that that's a technology and the greatest blackish boxes are sort of domains if you will or areas you know things like business enablement project delivery lifecycle budget security architecture compliance and audit and so on and so forth this is all the stuff that CISOs have to know it's no wonder that companies continue to get broken because I don't know all this stuff nobody knows all this stuff this is

another example again I saw this out on I think dinner Twitter somebody somebody tried to write down what all the different domains are within that word up there that I won't say you know again the colors mean different sort of major domain areas and sub bullets and again if you if you find this and read it in a small print assume that for each one of these things there's a technology behind it or a technology solution or tool and people I'm sorry yes so if you've been around for a little while you might have heard some variation of you know this whole information security revolves around people processes and technology and of course technology rules and if you're a

consultant which I am and was you know we tend to focus on the people in processes and people in processes are boring and it's not fun and you don't see a lot of blinky lights so people like to skip to the technology I submit to you though that there's a missing element and that's you don't do any of this stuff without understanding what the purpose is what the goal what are you trying to accomplish with your security program it's not enough to just do it just because everybody's doing it because you're connected to the internet and you have systems and networks and if you you can get spun around the axis pretty quickly and we see it all the

time because all this stuff is done without a goal in mind and and how do you know if you're doing it well if you don't know what you're you know trying to achieve it's all about the information is just some of the my summary thoughts and I did not say that word once in this presentation ha very briefly actually let me go back knowledge and awareness is key after 34 years in the business I think that probably the most important thing is we as a community we as an industry our customers our companies that we work for I think the the biggest thing that we've lost from the DoD perspective is this idea of the culture of security

everybody knows what they should and shouldn't do and everybody knows what their responsibilities are and everybody understands bad behaviors and what and and it's reinforced that they shouldn't do bad behaviors just because they need to do it to make the deadline or because the boss says so you know and security people are the worst they could they know how to bend the rules and break the rules and bypass the rules and there's often times the worst offenders if you don't believe me go out and talk to some of them and find out some of the shortcuts they take so knowledge is key quick word about my sponsor which is cyber Ares I bred IT they're an online

open source training company they've got thousands of topics they've got tens of thousands of hours of video and it's free you register for free sign up for free and you can take all the training you want if you want to get certified in CPA CPD credit they've got different labs and different deeper levels of courses yes you have to start paying for them it's really affordable and if you're a company that has or you work for a company that has technology that has training associated or even with demos of what your product does they would love to get that up there too they're trying to be a resource you know a one-stop shop if you will for

everything related to IT and security so check them out cyber EIT it's free to register and I'm actually in the finishing up a course that will be up there probably in the next week or two so look for me is one of their contributors the art of the Jedi mind-trick learning effective communication skills they're expecting to have a million subscribers probably by the end of the so they get like 15,000 a week and and again it's one of these slides that you can keep updated but they've got lots of really cool you know I can't say that it's all great information because they're sucking in everything and they don't necessarily curate it all but they've got a pretty functional search

feature and you can there's just a lot of material out there I encourage you to at least check it out so any questions or comments we've got a 5 or 10 minutes left I'm available push back disagree agree anything yes

you're talking gibberish what is all that stuff

[Music]

well two things one I should have been passing a microphone out for you to ask the question where the somebody should do it and once you get the mic in your hand my question back to you is clarify what you mean by this storm just so I'll make sure I understand that so I'd say probably over the past year or so I you know maybe about 18 months ago I got like you know one questionnaire you know and then in the past year I've had probably five or six questionnaires from different contractors you know that we work with as a subcontractor every one of them you know it's anywhere from one to ten pages and they might use

Google's open source contraption to design it or they use somebody's you know write a question after question after question has a question you know a lot of stuff where frankly probably one in NDA you know just to give them that information you know are these the kind of things do you see this trend in clear experience in the industry increasing that we're going to expect to see more and more of these things you know is there you know I mean you know ISO certificate 27001 maybe might be able to help you this kind of stuff I mean do you see is this a storm maybe that we're just going to have the weather and maybe

this will just die off you know in the end you'll get tired of it well my opinion and others can weigh in but I think in the industry over the years it's sort of a pendulum swing and while there's this occasional recognition we need to do more the people processes things often it boils down to endless checklists and you know what's missing is that over in my opinion the overarching overarching understanding of security the goals and objectives which of those questions apply and don't is it okay to say n/a and that's an acceptable answer most Comeau srem illy ER with PTI the most compliance standards is I've read through them are fairly good in terms of

if you're running this do this in you know rinse lather lather rinse and repeat that a thousand times over what they don't do is say you're this type of company doing this type of business with this type of data so this subset applies to you they sort of expect you to figure all that out here's everything in the kitchen sink I mean to think the rainbow series every possible permutation you can think of technology it's out there and how to secure it you know more recently that would be probably the NIST cybersecurity framework you mentioned some of the other things HIPPA I was asked to do a talk on HIPAA year or two ago so I like

sat down to learn hipbones like okay you need to protect private health data I'm like okay what is that I have yet to find the definition it I'm totally serious there is not a definition of thi within the HIPAA standard there's examples there's a broad sort of framework if you know it's any information that's helps healthcare related that ties back to an individual that's sort of a definition but it sort of left up to the user the consumer that has to follow HIPAA to figure that out and then apply what needs to apply so there's a disconnect and I think the pendulum swing is okay we do a lot of Technology ok we know we need to do some process

what we don't know how to do that so let's just throw out some questionnaires and we don't know what applies or doesn't apply so fill out every because I don't know that's what they told us to do I thought you met candy bars so I actually do acquisitions for this DMV and theoretically with said Gramps it's supposed to be do once in youth betting so that's the whole idea so theoretically it should slow down but that's just that it needs to be a continuous haka and I think that's going to be the cultural shift I think ironically what I have hopefully described a little bit in a way that's understandable understandable the dod level security

largely doesn't exist in the DoD today they lost the institutional knowledge they lost the culture and and and and most recently the DoD is tried to sort of adapt the way the real world does it back into the DoD which I think's ironic and interesting and disturbing all at the same time did you have a question I think we're looking for the perfect state of security and everybody wants to point to a standard to say if that's perfect we're going to measure ourselves against perfection but if we start shifting our mindset around the fact that security is never a destination it's a journey right then how can we have these perfect standards so sending out all these surveys is great it's

always just a moment in time and as long as organizations walk into it with that then I think it won't feel so overwhelming yep we are we used to talk about the four PCI practice the week that I was part of we used to talk to our customers about treating security as a program and not a project at you know it's an ongoing thing question there and then in the back so I mean I kind of feel like you set yourself up for finding a lot of companies that are very focused on compliance by it by doing the PCI thing but at the same time when you when you go and you look at a new

company needs of you other than just sitting down and and taking a good long time to really understand their culture and get a feel for particular individuals what what are the key marks that you you noticed that say to you this company actually does have a culture of security you're assuming that I found one that has that yeah I did consulting for many years before I was sent to PCI purgatory and I used to talk back then about the companies that we would approach that hire to just hired us to do a pen test or vulnerability assessment the ones that said well we just you know I'm going to date myself and so we had one

company that said we just we just installed the gauntlet and we went to training so we're good we want you to pen testers and I was just doing some you know port scanning remotely and like I don't even see a firewall I'm seeing everything long story short ended up guess what the last rule was on their firewall so I've had many companies that say oh we don't store that data we don't capture that kind of data I had a PCI customer they had a web screen you know ecommerce site where they asked for the CVV I'm like what do you do with that well we just throw it away like yeah that's going to come back to bite them and

guess what I found when I was looking at their database it was encrypted but that doesn't matter you're not allowed to keep the CVV so the flipside to that is the companies that perhaps had the right attitude were the ones and I we could say it was a culture there are the ones that would come to us and say well we're trying to do the best things we think we're doing okay we think we've covered our bases that we're not sure and we want you to test us those companies we often had a very hard time breaking into and and but they had a had an attitude of humility which I guess is corporate culture that okay we think we're doing

okay but we don't know what we don't know find this out they tended to be more secure we had a hard harder time breaking into them and finding all the vulnerabilities and the holes did you work your way to the back yes PCI is slightly different than the od model weird the DoD has actually started to a whole what's old is new again they don't fit capsid I cap to RMF yeah again they've gone back I have no idea what these acronyms are yeah they've gone back to we are tt associated and you never defined risk tolerance because you seem to kind of defined risk and then you kind of talked around what the risk

then define risk as I said it's an equation and I've talked about the elements risk tolerance what does risk mean to somebody well risk is how much risk are you willing to endure in order to get your job done or you complete your mission alright so I'm just wondering you know PCI is very firm it's you must protect you know the credit card information privacy information etc same is HIPAA but we you do will you draw the same risk analysis for say a laptop that goes out to do recruiting as you would for a laptop that does encryption or pen testing well so I didn't mention risk tolerance and I probably should thank you for bringing

that up the idea of risk tolerance is is different for everybody I mean you know you got out of bed this morning and walk out of your dumb mcdo mesial and you know got into a car by walking whatever that's a risk it's a risk to roll out of bed that most of us take a lot of risks I get on an airplane frequently that's risky I'm married with children that's risky you know the idea of risk tolerance you know in our sense it risk tolerance usually boils down to again it's a money thing how much are you risking willing to risk losing how much you willing to risk being fined you know I've had PCI

customers that weren't compliant and they acknowledge that and they paid the fine while they were on a past compliance but that became a part of doing I had one customer several customers that like yeah we'll just pay the fine that's that's a perfectly valid risk tolerance decision but it's not my decision necessarily yes we so PCI is different and everybody for yourself I'm going to say something vaguely supportive of PCI the challenge with risk tolerance and PCI in particular and other compliance issues is externalities you have to follow PCI because if I'm an irresponsible merchant it can cost you money if my credit card data gets popped and then somebody comes to your store spins money

you're the one as the merchant that gets taken so we have a we have a financial externality that actually justifies something like PCI I won't say it justifies PCI so if you're willing to accept the risk that doesn't mean that you should be able to endanger the entire financial system because you're irresponsible and that's where things like PCI come into play and if we don't actually do a good job then heaven forbid people in Washington make it laws and make it even worse for all of us yeah I mean it's kind of along the lines of why is it a law that you have to wear a seatbelt right you know why do we have insurance why do

we have what is it called uninsured insurance whatever that things puts it uninsured driver insurance because everybody has insurance right so yeah I agree I'm only keeping you from lunch so feel free to hang out and ask more questions or the bar or the tavern or I don't know where let's run out to Harvard Yard real quick and take this [Applause]