Doomed to Repeat: InfoSec's Failure to Learn from the Past

hello everyone hi hello i'm so tired today i only got two hours of sleep i haven't done so cold yeah i should right um yeah i just wanted to welcome everyone to security b-sides 2014. it's my second year kind of organizing leading this doing it and again i just want to thank all the attendees all the volunteers all the sponsors and everyone else who made this possible if it wasn't if it wasn't because of everyone here we wouldn't have a conference so i want to encourage open communication uh feel free to tweet our hashtag is besides besides bos actually hashtag besides bls it's actually the two hours of sleep coming in today but uh just wanted to welcome everyone

please uh let's give my hands to uh for kind of like the kickoff let's um just go ahead and clap our hands today thank you very much

usually making any of these besides events it takes maybe a year or more of planning so again i wanted to thank everyone and this is our first time doing it one and a half um one and a half days so all the organizers are in a blue shirt and all the volunteers are in a red shirt so if you have any questions comments suggestions feedback let us know um now i just want to introduce mr jack daniel he is the co-founder of security b-sides and also is at tenable security

so um thank you very much roy thanks everybody for being here uh especially to the the other speakers the volunteers the staff that make these things happen um b-sides are important to me they're important to a lot of people in the community and i really appreciate the opportunity to join you um so my my theme for the next year or two is uh has been about and it's going to be about trying to move forward by doing some of the things we already know how to do and we'll start out with this this doesn't make headlines but you know the hitchhiker's guide to the galaxy has the right idea don't panic is a good starting point for us

i know that drama is fun i know that some folks in this industry kind of like drama i know that screaming is sometimes fun but we need to get stuff done and perhaps a little calm rational thought about it can help us also we have an amazing ability to solve the same problem time and time again we're phenomenal at reinventing the wheel we're not always good at making it round each time we reinvent it but that's that's it so i'm jack daniel um why should you listen to me so i am a co-founder i'm one of the people that sustains b-sides i was involved since before the first one just for a little point of reference five years ago today

um b sides was not actually even a thought this is event number 124 globally in less than five years today there's another event going on it's actually wrapping up right now because they're seven hours ahead of us in algiers it's their third annual one in algiers to give you an idea of what the scale of this is we'll talk about that a little more but i help sustain that community because it helps sustain me every time i get fed up with the amount of time and effort i put into it then i come to an event like this and it's cool meet with people meet old friends meet new friends uh see the community connect and it's

like let's do it again uh technically i have no technical skills i'm an auto mechanic i'm not sure how i'm here or why anybody listens to me the really short version is one day i had to find my own parts and since i knew how to use the computer kind of because i worked on renaults where nobody would touch them i had to look at my own parts if you look at your own parts i ended up i don't know somehow i became responsible for parks you do parts they hand you a tape and it has the new spark plug prices on it this is going back many decades and then if you're on a car dealership a tape that

has an operating system on it or your line of business app is the same as the one that's got the spark plug prices on it so you give it to the guy in the parts department and so i eventually ended up running all of it for a bunch of car dealers a chain plus some others that i was moonlighting and as all of us that you know started out as network and systems admins bad stuff happened i had to fix it it happened again i had to figure out how to keep it from happening again bad people did bad things because it was windows 98 and nt and those sort of things and so that meant having to learn how to

keep it from happening and make it better and that's information security in a nutshell one day you know seven years ago i ended up seeing where the car business was headed and went from that being my primary source of income being security and technology in that industry to vendor space vendor space doing support and other things firewall support and doing a lot of community stuff i was involved in the local nation chapter since the beginning unfortunately i haven't had much time to be involved in that group or other local groups with travel in the past couple of years but you know i started doing more and more community engagement as part of my job and i started doing things like working

with the sales teams sorry but you know and then you know for the past three years i've been a tenable and i report to the vp of marketing so i'm technically in marketing and i know that's like a bad word to a lot of people but because i'm in marketing i was introduced to a really new term you want to try something change mine there we go okay let's turn this off so you don't have to listen to the shuffle all right

how about that is that any better a little bit better i'll yell that'll make up for it uh so anyway i was introduced to a bizarre concept once i joined a marketing team those of you that are networking systems administrators and security people you would be terrified to know that what happens in marketing is i had was introduced to the concept of having budget it's how we can sponsor events like this and a lot of other things but i also get to be very technical because we're a technical company uh and so people like paula sadorian and myself and space rogue and people like that are marketing people where i work but marketing is cool because it lets me do things like

this it lets me talk to people listen to customers and continue to drive and so i talk to a lot of people i see what's happening in the world i remember what it's like to work for a living i spent a lot more years as an unbudgeted admin which all sums up to you really shouldn't listen to me um why and here's why you know your environment better than i do you know your challenge is better than i do so here's what we do you can uh ignore me until i say something that you like and then you can tell your boss hey even that old fool knows it um and so in this talk i'm going to tell you some

stuff you know hopefully in context you haven't thought about but i'm going to tell you some things that you know now at first i thought that's really not well but i've done little bits of this elsewhere to see how it's going to go over and it turns out my somebody pointed out to me that there's really there's really nothing wrong kpmg deloitte pwc ernst young you know people like that wouldn't exist if there wasn't billions to be made on telling people stuff they already know so i'm going to do it for free which maybe means i'm not good at business but i'm also hopefully going to have some context that's usable unlike so but first a couple of things we are

to besides you are here as i mentioned that's an event 124 as algiers is happening today the green dots are ones that are upcoming some of them are tentative dubai is kind of off and on singapore is likely to happen ones in india i expect at least one of those to happen this year you can see the us is well represented in canada actually i did not because we got confirmation he's got a venue there will also be one up in cape breton there's a second one look at that see i meant to i grabbed the wrong screenshot huh let's put one here too manchester is happening a handful of others and this happens because local organizers make it happen

and the local community participates and volunteers make it happen so i said this is event 124. there were is tomorrow's from san antonio event number 125. uh there were about 41 or 42 events last year in the calendar year probably going to exceed that this year as long as the events serve their need that's great there's a lot of people that talk about having too many uh cons and my take is yeah there are some that are that seem redundant to me but in the b-sides community if everybody leaves happy and the organizers do not leave bankrupt that's pretty good and as someone who has floated a lot of money to these sides over the years that

last one means something but it's about connecting people some of the first events i met some folks whose careers started to advance very quickly just by connecting to the right people people who suffered less because they knew who to reach out to in in their community and that's the real power of this is the conversational aspect of it in the community and it's a very flexible model 14 australians at the gold coast at a pub during the nights after a more traditional conference everybody's happy well they're australians they have a pretty good head start on that but everybody's happy has something to drink and they leave happy that's great uh las vegas we have no idea how many people

we're gonna have at las vegas this year but i would not be surprised if we go over 1200. we have a 350 room room block and a 700 room hotel to give you an idea of the scale of that if you'd love if you'd like to be involved this team would love to have more volunteers every b-sides team would like to have more volunteers if you've got the time to be an organizer that's great it happens because the community it happens we it's very i don't know buzz wordy but it really is about community that's an abused word with social media it's about connections and conversations which are abused terms but it's real here we'd

like to talk about having sponsors not vendors a lot of company a lot of big conferences say they have sponsors they do not they have vendors these people will happily take your money but they're supporting the community they're sponsoring this community you're not attendees you are participants if this is your first besides welcome it's fantastic to have you here one of the things i like to say about b-sides is one of the things you will not find at the b-sides is that handful of people wearing the founders circle logo right for some other crap like that we're a growing community growing structures need growing foundations if this is your first b-sides welcome to the founders circle

because this is what it takes we're all participants there's no audience i'm uh in danger of getting optimistic and idealistic so i'm going to move on another first thought normally i talk about the dvir a couple times here and here's my take on the 2014 dvi-r everyone needs to read it but i found it both overwhelming and underwhelming

it doesn't get better people it doesn't really

they did some stuff i didn't like one of the things that they try to do is they try to do trending every year if you pay attention year after year which you should it's one of the reports i actually print on paper i kill trees for it and i scribble things in the margin the overwhelming part is they added incident data not just breach data not known compromised and lost data but they added incident data it kind of muddied the waters and made it overwhelming i've never written wtf in the margin of a 60 page document as much as i did because from figuring out the numbers is this incident or is it just breach

and then they try to do trending and one year low set completely blows all the trends out of the water and then we have a quiet year and it goes back to the eastern europeans scanning for 33.89 and popping micros point of sale terminals and then we have uh the the gangs doing atm skimmers or gas station skimmers and so the numbers get skewed wildly um the industry is not mature enough to trend well is what i learned from this they do try i i found it they kind of lost focus this year but it's still a lot of good information it's fantastic to find stuff to scare people into supporting your ideas good read i just

had to mention dbir if you haven't read you really need to it is 60 pages uh read the first couple of pages the summary is pretty good you can digest it all there is some real value in drilling into it but i'm not going to talk about that i'm going to talk about this this quote is everyone knows it it's widely abused um that's actually part of a larger quote the full quote is uh from george seneana a philosopher progress far from consisting of change depends on retentiveness when change is absolute there remains no being to improve and no direction is set for possible improvement and when experience is not retained as among savages infancy is perpetual

those who cannot remember the past are condemned to repeat it so as among savages infancy is perpetual now that's kind of a western judgmentalist statement but there is truth in if you don't remember yesterday you're not gonna you know if you don't remember the lessons of dropping the big blocks on your toes you're not going to build the pyramid right you've got to retain it we kind of suck at this in technology and in security especially all right if that was a little too deep and too heady another of the greatest philosophers of our time summarized it a little bit better i know he was a yankee but it's it's uh i also know that uh by sabermetrics and

other things he's probably the best catcher uh baseball has ever had and he was a great source of clothes so yeah it's the same stuff all over again so what's the newest problem i was asked to do a talk about byod earlier this year and it really set me off um latest problem people are connecting to our stuff and we're losing control and it terrifies us yeah is that really new well here's our data center 1963 1964 data center at nasa and here's our remote connectivity problem she may not even be in the same damn room now in fairness you can literally follow a wire to this it may be a long wire but this is where we realized that we had to

do some stuff right so here we go what's really keeping us awake at night is dumb terminal connections right and how much have we learned all right a little a little more realistically that was not the end of the world the end of the world came when we moved to a client server model because this was the end of the world because we put power in too many places we were never going to be able to manage this out of control what do you mean you can have computers under the desk that can do stuff and someone will be big enough to talk to other machines that's crazy and then we put a lot of them together

and virtualized stuff and this was cool because we could make the mistakes that it used to take months to make when we had to buy and provision a server we could make the same mistakes in seconds if we had enough horsepower now the live virtualization was we had to rewrite a lot of apps to take advantage of it and we had to buy much bigger servers so the first few rounds took those same set of months and then we had to misconfigure virtual networking before we could misconfigure the physical networking they were connected to but now we've gotten better at that and soon we'll have this uh you know cisco nsx and all the software

defined networking where we can instantly misconfigure our networks and that's progress but um you know this was the end of the world and i remember at an asic meeting like eight years ago or something saying virtualization is going to mean nt4 never dies um i told you so and then the obligatory cloud computing crappy stock photo now i don't even have to own the hardware or colo rent it or anything i can spin this up i can make the same mistakes in record time on somebody else's hardware that's that's awesome that's stunning each iteration we've had a common set of problems and a common set of values that are advantages that these brought and then each iteration brought new

challenges as well as new opportunities but we like to stream and scream about access control every time we iterate through and now we've got this byod thing and if you think about it if your phone is like my phone which is now a year and a half old so it's only got a quad-core 32-bit processor not a quad-core 64-bit processor like a modern phone um that's the same as connecting to a desktop or laptop right i mean it's my little surface rt here has a snapdragon it's a joke of a processor it's more powerful than you know things that we thought were rockets on the desktop it's a quad-core 64-bit chip and we consider basically a

throwaway tablet once we've had all of these things and now the internet of things is going to kill us all right the singularity as some call it uh the internet of things what do we do with that well so this is interesting from a business perspective we have nothing to worry about because we know that we don't bring consumer devices into the corporate environment we never do that right okay all right so we do but they're always on properly v lander better yet physically segmented network segments oh damn um wait but we learned

we learned that different machines have should have different functions and different people should be connecting to the different applications running there so this really isn't a big problem right we know how to do this but we're going to panic about all of it again the truth is the internet of things is i think my first thought is we will probably see these ship with i don't know snmp and upnp and ntp enabled on the dumb things and the first thing is our personal networks are going to be people's privacy is going to be further degraded if that's possible um when am i supposed to stop doing this by the way i got plenty of time

detour tangent privacy here's my take on privacy i hate google but i use the google stuff right hey google here's our privacy challenge i've given up on privacy and here's why i was in san francisco uh before rsa i was actually doing the vmware uh partner exchange event i go back to the hotel at the end of it i look at my phone those of you that have androids you know that google sometimes like just pops up and tells you stuff randomly that's like hey you looked up where you know you googled one memorial circle and say hey it's time to leave right so i look at my phone and it says junior brown is playing

yoshi's now junior brown is a phenomenal guitarist american musician so i've i've checked his website a few times from things where i was logged into google phone obviously knows where i am i haven't asked the phone anything my phone says to me hey dummy looks like you're bored in san francisco one of your favorite artists is over there and i won't say here but i i hurled a few f-bombs at my phone and said intercourse thyself google you bastard and then i clicked on yoshi's called they had tickets available and i walked across town

so there's uh the challenge and reward of privacy right oh man that's great because you get you got tickets yes we get tickets so i need to buy them now or can i just walk yeah just walk in um so there's privacy so internet of things also i think reflective attacks it might i wouldn't be surprised if networks get crippled from dumb stuff left open um who knows uh all the internet of thing things most of them thankfully only support telnet and http for management so they're not vulnerable to heartbleed but those but but those that are those that are going to be vulnerable forever hey jack i had a i had a good thing

yesterday i had a telephone company called me well i mean my electric company they asked me what is okay and would i be interested in this new service where they could like reach into my house oh yeah with my equipment at times of their choosing electric rates were high right so there are places where they do that smart metering and they tie it into your you know they tie it into your thermostat and other things and where they do you know time-based rating and things like that and that has some promise i will say this one of the first smart smart grid smart electric organizations i had the mispleasure of dealing with used smart meters throughout a

neighborhood as a test and it didn't think they didn't really think about how significant the robustness of dhcp was and they had a power outage on an underpowered network and it took them 20 or 30 minutes to resolve the power outage and it took over three hours for the slow network to be able to hand out addresses to all of the meters so people were without power because they couldn't be metered because they didn't know what to do and so somebody said active directory runs dhcp so they connected it to the power companies active directory dhcp i spend more time in windows than anything else but using windows for dhcp is really stupid microsoft has yet to

figure out dhcp in a reliable manner it is amazing what your watch can run dhcpd and dhc client on a linux kernel and scale beyond anything active directory can do today it's still true however i think microsoft pretty much has wins nailed um

so some of you may have seen this before the last time i showed this it had pictures of cute kittens on it i've taken the kittens out but here's is sort of this mental exercise that i've been doing lately is let's talk about the problem space and security this is actually two graph two charts plus a footnote so let's ignore this one solution deployment let's divide all of information security into stuff we know is bad and stuff that we know how to fix right and every day new bad stuff becomes made known to us uh i don't think there's a right answer here but i'm gonna challenge some assumptions so our problem space where are we we write new code we have new

problems in the new code plus we find problems in old code and then we figure out after we find the problems it takes us a while to figure out how to solve them and then solution deployment we don't fix the stuff we know how to fix this is a viable way to look at it and this is i think the pen tester view the vulnerability manager view this is the way those of us that our testing systems see the world if we talk to people that have been in this industry a while particularly if they're in academia not the i'll be kind not the people who are a little disconnected from reality but the people

in academia like spaff who's seen the real world you know people that get it might offer this and i've become one of these people the problem space is actually extremely well defined and we haven't heard from mark dowd in what like three years there hasn't been a new totally new class of bugs that we have to really worry about there have been some new variations but we pretty much know what goes wrong and if we abstract the solution i'm not saying this is easy but let's abstract the solution to input validation and authentication things like that we actually know how to fix more problems than we know about we can head off the couple of you know upcoming

things the one that i think we can all agree on is no matter where we put the first two bar charts uh i think this is terribly optimistic on our rate of solution deployment uh where do we go from there so let's be practical for a while um yes i work for a vendor you want to give us money cool don't talk to me i don't want your money i want you to use whatever uh but let's ask two questions about our environment what do you have and what do you know so i recently did a talk on patching your patch management process these two the answers to these two questions were you know the question was

what's the best tool to use and my answer was i have two answers it's the tool you have and the tool you know because you can be a little better tomorrow with what you know in patch management that's not really true there are better tools out there than what you've got probably most of us don't have the budget to do it well but the reality is if you're trying to scrape by with an intern running windows update and ws push that to its limit hopefully you score a few quick wins and you move forward what do you have and what do you know we need to stop and think about that and this actually gets

a little bit deeper because once you think about that we can consider what is real and what's not um what we can do something about what do you have kind of leads into inventory come back to that so i was in oslo this past weekend actually wednesday morning i woke up in oslo and wednesday night and went to bed in my own bed i in suburban oslo it's not suburban anymore this has been moved there this is one of the norwegian state churches give you an idea of the age of this some of the columns internally in this church a couple of the columns were dated to 1174 and 1208. that was from a renovation

not far from here is the viking ship museum where they have two they have three ninth century viking ships that were used as burial ships so there's some old stuff here these are called state churches because they split alongs lengthwise and so they have these huge long staves that run up and down and that's what the churches are so this is uh this is as we're turning vikings from marauders into christians they started building these churches uh they're beautiful it's not just because i am mostly norwegian you can tell by the pear-shaped figure male pattern baldness etc

this is a cultural icon it's also surrounded by other wooden historic things this is at a you know it's think sturbridge village or something but millennia old and beyond in some cases there are wooden buildings all around it it's irreplaceable even though the outside is largely a reproduction of another one the core of that that center core so what's the danger of a millennial old wooden building so it was rainy day when i was there fire is what kills wooden things so if you take a close look they did some threat modeling and this thing is lit up there's copper pipe everywhere because they know what they've got they know the value and they know what it's worth

investing in really simple threat model if you want a lot better threat modeling than this adam shostak's got a new book adam buy the book buy the card game steal the book from somebody and read the first three paragraphs i mean the first three chapters if you haven't a quick pitch for adam even if you don't do threat modeling the first few chapters of this book are great because it walks you through thinking about threat modeling he's one of the people in the the new school of information security one of the idealistic youths although he's not that young anymore so let's go back to fundamentals things that things that happened when we had tape spinning on machines

which i'm actually not that old classification well before we can do classification we have to know what's going on in our environment so anybody familiar with the sans top 20 the 20 critical security controls it's a pretty good list i'm not thrilled with it because it's sort of like training wheels but it's a great model to use in your environment because nobody's making you do it so you can tune it you can pick three and say i'm gonna do these you can use it as as a you know yardstick it is one of the two guidelines that i like to point people to because you you control how you approach them first thing on that is find all the

stuff in your environment not just the stuff that's supposed to be there but the stuff that isn't which is brutally honest because there's stuff in your environment that doesn't belong there and then item two is find all this stuff running on the stuff in your environment authorized or not and that's the challenge right if if the if everything's joined active director and you're managing it through sccm that's great it's the unmanaged stuff that's killing us just for reference so item one is find all your stuff and then item two is find the stuff running on the stuff the other one that i refer people to is the australian singles directorate top35 that is not training wheels

item one there is not find your stuff item one there is application white listing one of these is a you gotta be this high to ride this ride but it's based for basically the australian nsa but it's some great stuff there they actually do some cool stuff like tell you how hard it is to implement um what it's going to cost to implement ongoing costs and what kind of mitigations whether it prevents stuff from happening whether it makes it easier to find it whether it makes it easy to recover australian signals director has a great thing but so some of the things that we have to do to do any of this we got to

know everything we've got we've got to know where our users are our assets are our data and then we classify that so you can wire in your terminal and log into this box this is not this is nothing new but we get this wrong all the time our environments are way too complex 20 years ago when i was 25 30 years ago when i was still a mechanic i could understand everything happening in the cars including the rudimentary computers that were there because they were microcontrollers at best and they they were basically mirroring the function that we had done with vacuum and hydraulics or with centrifugal force so it is ignition spark advance was done by

weights that flung out and twisted a plate so the points would rotate around the distributor and so the first electronics were mirroring things that i could do and physically see we moved into fuel injection and it was mirroring a lot of what we were doing mechanically now it started to get a little more entertaining and then we started putting sensors in and tuning things and that was when it was fun to be a mechanic because you could go to radio shack by a bag of resistors and you could shunt and ground and you could lie to the computers because it didn't do sanity checking on those sensors and for a few bucks and some time and

maybe as a warranty controller or two you could you could push performance and other things could also fix problems but now on your automobile you can't you have no idea what's going on in computer systems you could ask a computer science a graduate student 20 years ago to explain everything that happened in a computer system in a three second window you can't do that with your phone now it's not it's the complexity is impossible so what am i telling you about fundamentals we'll pick what matters gross over simplification but users we heard this one before not everybody needs to be a domain admin not everybody needs to be a local admin our executives have access to data that

other people shouldn't have access to start with the obvious small wins move forward we all do this i'm pointing here that uh it works that's why i keep this 15 year old thing because it's smarter than i am and it's got a strong enough signal so here's one that took me a while but those of you that still fight these battles know this one what's the most one of the most empowering things in security it's the ability to fix stuff right i applied a patch it didn't go well quick fix it before they yell at me this has real advantages beyond this though because everything else gets better machines get popped you can if you've got the ability to image

quickly there are a couple of things you can do you can grab an image of that critical server that's been compromised hand it off to the incident response folks if you have a more mature program what you can probably do is shift that back up to new iron or a new virtual instance and take that intact attack system shut it down and move it into a lab environment but you don't even lose the machine you just recover quickly it means that thunder and lightning strike and uh you know the power bounces up and down until all your ups's go away because everything important is on a ups that's got a good battery right nobody does anything dumb like puts

generators in the basement and flood areas well you know wait okay so the ability to recover makes the whole uh whole thing a lot better it also means you can actually update exchange because anybody that's ever run exchange knows there's no such thing as too many good backups when you're applying a service back to exchange or doing a migration um images copies whatever you've got it gives you that a bad analogy that people use in security often is that you know security is like brakes on your car because it's an enabler putting brakes on your car allows you to go faster at the extreme that's true anybody that's driven a car with no brakes would

know that actually what is really cool about brakes is they let you stop the car um bad analogy i use a lot of them but that one's just really bad if anybody's into sports car racing one of the things you find is last year's fastest car is not this year's fastest car and so what is the first thing you do when you're just a little behind you roll into the pits you jack up the car you pull the rear brakes off and put them back in the trailer you've just now lost 30 40 50 pounds and that might be enough to keep you in the game what did i do i threw away my brakes to

go faster because brakes slow you down but backups actually speed things up it allows us to screw up and not have a problem perimeter and access control so i was in the firewall business for a while i'm a huge believer in firearms i won't tell this audience that a firewall is a security device i won't tell anyone that a firewall is a security device it's a network health device at best and it is also a phenomenal choke point for traffic analysis and monitoring it is a stunning place to see what is happening in your network it's a great place to do a comparison what's happening inside and out of your network so the perimeter is

kind of a dead idea but we still rely on it we have way too much faith in the boxes at the edge but the boxes the edge really do give us some great visibility and they help us sort things out but we do it wrong one of the things that terrifies me is ipv6 so here's how we do perimeter and access control

you can you can kind of see the

so if we do it right it can do us some value what does it do well you know again the pen test mentality because you focus on that this isn't going to stop me it's not supposed to stop you but it might let me see you um we do it right we can we can kind of decide what's inside what's outside clean up the traffic enough to make it easier to spot what's inside and what's out here's another one if you're up against a really skilled pen tester or attacker segmentation's only going to slow them down maybe not that isolation and segmentation however really are valuable when i was first a network admin i was a big fan of huge

flat networks no bumps in the wire makes things easier to diagnose performance is higher et cetera et cetera et cetera the slowest network interface that you can find that involves a wire or fiber is gigabit and that's been through for what a decade now 40 gig stuff is used at reasonable prices uh you know 40 gig you can't talk to anybody in big industry if you're only doing 40 gig you know ask the folks at the akamai table the 40 gig throughput means anything to them right not even at the edge you know um so the bump in the wire the big flat network and break things up if it doesn't stop the bad guys well

wait a minute it stops the dumb ones and the lazy ones and the opportunistic ones that's pretty cool the other beauty of segmentation back to the car business these are holley jets this is one of multiple jets uh jet kits that still lives in my house so what do we have well they don't slam into each other and if i want a number 40 i look to the bin that says 40. and all that's in there is a 40. so if i look in there and all i should see and there is sql traffic all i see is sql traffic if i see anything that's not sql traffic i don't have to i'm i'm sorry staining ids is not dead

if i can look in here and say it's not sql traffic tell me about it right and you had netflow because everybody uses netflow because all of us old beardy unix network guys i've been screaming about netflow forever right netflow there's an unusual amount of sql traffic in this bin what happened oh dba's box got popped to get pivoted off and so there's terabytes of data going somewhere that it shouldn't this is practical this is hands-on i can't do this in the entire environment okay you get credit card data in a sql database let's put that one in a bucket let's watch it um

yeah who logs in so one of the things byod stuff i was told people are freaking out about byod and some people are and i get it there are new challenges there and uh so identification authentication authorization i lump these together um all right so i identification is not always easy is it me um but here's the byod thing i was doing the second by id i took out my phone and said would anyone like to hijack one of my domains and i held up my phone it's over there i'm not gonna and i said you need this oh sorry it's too late the numbers change as the dials are spinning on google authenticator on my phone

oh you should make people bring their phones to work and use them for work as long as they're using your authenticator maybe it's the wicked uh open source package uh look sms open my sms at this event like i'm drinking with alex hutton tonight well that's nothing unusual uh oh look i logged into msdn to download something so there's my live hit oh i logged into twitter from a different location i logged into a different google property from i'm logged into a hotmail account that i use for certain specific i'll look at that and oh look i drank with alex last night but wait this this machine of death and destruction does have the challenges people talk

about but why don't we focus on what's new we have a properly segmented network i only get access on my phone to the things i should have i have to connect with activesync so that the exchange admins have control over what i do and my passwords uh you know you have to put an agent on if that's the way your company works there's some real power in that now you lose that device it needs to have passphrases on it needs to have crypto the step i missed was i had to put in my password and into text secure because i use uh you know tech secure and red phone on my phone but it gave me

a device which is mine because if i know the pins and passwords and things on it and can get to those things i can use those two factor authentication modes so i'm actually moving us forward there's still bad things with letting people have computers in their pocket that are more powerful than anything on the planet had when we sent them into the moon there are still challenges there but if we focus only on the challenges the industry leaves us behind and they should

this was in the deck before heartbleed i swear but if you want a case for why we need better revocation uh our bleed is it our browsers you tend not to look at revocation lists because that slows down browsing and it makes us mad and now the size the revocation lists are getting it's going to be really ugly and then if they fail to look up they're going to fail open it's one of the reasons i'm still a proponent of if you have small enough networks to throw enough horsepower on it doing ssl proxies where it makes sense because you can offload some of that to the ssl proxy at your gateway points let it um

cache those certificate revocation lists and look things up but whatever works for you think about that and it comes back to a real problem we have with definitions of trust in we talk about trust in technology the way we talk about it with people and it just simply doesn't work that way uh both brian snow and gene spafford are more eloquent about this but trust in a human relationship was based on family units it was based on tribal units community units there were certain levels of implied trust and there was a certain type of trust revocation trust revocation included some forgiveness and then he crossed the line and it was really hard to get back it took a long

time to get it back and there was transitive revocation too because i no longer trust you i don't trust your family anymore and that's the way the human mind at the at the top of our spinal column works with trust and then we ask verisign for a certificate it doesn't work but we need to think about how we revoke things so who runs a lot of labs at home anybody else i know there are a lot of people who run a lot of labs where do i submit my self-signed search for revocation oops that's kind of a challenge

validation and monitoring here's something we fall down on too because we don't have the resources that we often need we do something and we trust it we trust wsus has actually pushed the patches out we trust sccm has pushed the patches out we know better but we trust those systems we trust that whatever vulnerability management system you're using has found everything you don't spot check it you make assumptions about false positives and false negatives and we don't monitor so what we've done now is we've added some tools and we've blindfolded ourselves and we're walking around blind so this is hard i i do have an observation on logging and monitoring some people disagree with me but there's

a real challenge in monitoring things and if you don't have a mature log management system log analysis system uh well if you don't have a mature sim or log system that's properly tuned and used well that makes you normal that makes you common if you've got a well-tuned sim that's doing what you need in your environment and it's actually doing that it makes you a unicorn you know talk to anton chevak and he wants to talk to you you know he collects those uh like unicorn tears and he doesn't have a full bottle yet but how do we get better with this this is again i'm not solving any problems i'm making tomorrow suck less is my goal

i can beat that so what i i will make someone slightly less stupid have to compromise us instead of the really dumb so what do we do with logging monitoring let's keep more information for a shorter period of time if you're resource constrained and randomly look at stuff there are all sorts of tools out there that help you find things from manually grabbing log files or event files grabbing something like an old tool like mandiant highlighter and crawling through logs manually if you're not a you know a grep user the way we do log stuff even those of us who live in log analysis and excuse me big data and you know analytics and things there are

times when we end up using tools like grep and um excel right so excel when it went to a million rows by a million columns suddenly we can do some crazy stuff in there also it does a pretty good job of parsing xml and we can do some crazy stuff i wouldn't want to use it on a daily basis but you know sooner or later and everything ends up in excel as long as it's only occasionally but look at stuff and uh you know if you're new to this if you're new to these monitoring things absolutely you got to look at the top ten because everybody wants to talk about the top ten you look there and

let's make sure that you know uh ftp isn't the number one protocol in your environment there's kind of a fall down of that that i've seen is nobody baselines their network so what is the top 10 is that really a part of what's supposed to be a part of the side right so the observation is nobody baselines their network and so what we can do practically speaking short term is well it looks like it got worse i don't know if it was good or bad it looks like it got worse and take away it but the one thing i will ask you to never ever skip is looking at the bottom five or bottom ten

why does i'm not worried about the bottom ten okay you have four machines out of four thousand that send three packets to an iep in uzbekistan once a week oh yeah you know that that's more important than knowing whether https or uh ssl or ssh is the most important thing in your network uh so take a look at the bottom uh hardening we used to everything used to be turned on by default you know you install server 2012 r2 it's got a touch screen ui and that's just stupid but microsoft says you don't use the ui in 2012 r2 use the command line if i wanted to use command line i would build running unix like a real computer

because the reason microsoft told us to use their servers because they had a gui but um a little rant there a touch screen server interface thank you very much and by the way the latest 81 update makes windows 8 1 suck less um but uh hardening then earlier versions of eight one or heaven forbid eight it's it's and here's a challenge uh you want all this cool built-in hardening that's innate except for the ie of course you've got to go to the horrible ui that we all hate um but whatever so there's still things that need to be hardened the adoption rate of microsoft emmett is depressingly low and it's a good tool there are other

things a lot of things are turned off by default now they should be we still do stuff like battle sc linux and say screw it and turn it off because i'll turn it on next week when i have some time to tune in so i'm a hypocrite there so we just throw that one out there so a couple of closing thoughts um this one you may not be expecting here but here we go so i'm not talking about this kind of class warfare this is one of the more stunning images that i've found on the internet this is a favela in sao paulo these are private swimming pools on the terraces and then not private swimming

pools this is a poverty line uh wendy nader coined the term the security poverty line about those people largely in small business underfunded organizations non-profits education people that don't have the resources to secure their environments they don't even know how insecure they are if you try to explain it to them they think you're trying to steal from them or just shut down in fear and we as an industry ignore them because we can't make money off of them besides helps i think there are a lot of community events where those of us that come from that background or in that background can learn tips and tricks one of the things having been in small business

all my life i am tenable was 128 people when i joined three years ago we're 330 now at that it makes it by far the largest organization i have ever worked for in my life at 330. i'm a small business champion small business advocate it's a mess that's who the eastern europeans have made money off of badly configured point-of-sale terminals for a decade plus now um but here's the deal i i say this a lot our problems our challenges scale much more effectively than our solutions if we create a solution that solves a problem for a fortune 50 company it probably doesn't help our family it does not help the coffee shop down the street

if we come up with solutions for the coffee shop down the street that may actually scale up and help that fortune 100 company we need to be a little bit more responsive it's a dead end i get it but it just drives me nuts that our industry ignores them and on the topic of scalability i've also said this many times i had discovered at first it was a hunch but now at my age i know for a fact that there is nothing that scales as effectively as human ignorance and stupidity that is just stunningly effective at scale so so think about that you know think about people doing really dumb stuff at the coffee shop don't

scare them a couple of years ago the dvir on the last page had a little card you could give the lawnmower shop and say here this is not for me this is from people that you probably paid too much of your phone read this and it said like make sure whoever does your credit card terminal changes the password right um little things like that you know if you got a minute that's like really use wpa2 on your coffee shop wi-fi and put a poster up with the username and password it's okay it's okay it's better than what you're doing um let's think about those below that poverty line when we solve problems for them it gets better

so the shameless self-promotion part of this uh i have a couple of blogs i'm really nice to my readers by hardly ever writing so you don't have to read much uh traveling curmudgeon.blogspot.com i call it my travel blog it's actually where jack drinks when he remembers to write about it uh on the concert security weekly formerlypaul.com uh paul will be here tomorrow i'm on that podcast when i can get over there if you're one of our customers we do a weekly podcast i do not get drunk and throw f-bombs around it's more corporate focused and of course twitter and with that um one final parting point this is the beginning of b-sides boston we have the rest of today and all day

tomorrow i'd like to read a quote to you i do not know what i may appear to the world but to myself i seem to have only been like a boy playing on the seashore diverting myself and now and then finding a smoother pebble or prettier shell than ordinary while the great ocean of truth lay undiscovered before me that was isaac newton's take on his own contribution to society and life he changed the way we view the world forever by focusing on prettier shells and smoother pebbles and exploring at b-sides events and other community-driven events you have the opportunity to connect with people who share your interests in those shiny pebbles in those interesting shells it may be

shells at the capture the flag it may be sim it may be whatever it is you can make a difference for yourself and others by participating by joining in this finding your pebbles finding your shells and enjoying these sides and being part of this community thank you very much

you