The State of Information Security Today

that's it y was that it or was that you telling me what the signal is you're recording okay they don't usually trim off those first couple seconds so I should shut up and get started so my name is Jeff and welcome to the first official after lunch session and I'm sorry I'll try to keep you awake I'll try to stay awake um title of my talk today depending on what audience I give it to is either the state of cyber security today or the state of information security today your preference um just my uh Vital Statistics there if by the end of the talk you want to get in touch with me uh I can share this with you I can share

the well it'll be on on the recording um I've got a few business cards if you want to talk out talk to me seek me out ask me questions or tell me I'm full of it and should retire whatever it is um that's what I used to look like about uh 15 16 years ago back when I was cool and I actually had hair um and I fit in more with this coup now I'm just an old ball guy um this is roughly the agenda of my talk today I'm going to talk a little a little bit about who I am since probably most of you don't know who I am and it's not because I want to uh I'm not all

into myself and I want you to know all the great things I've done in my career but the the sort of the the premise of this talk is I've been in the security business for quite a long time and especially within with what we call cyber security today sort of the the interweb and and all that it's been going on for about 20 some years and I got my start as we'll see in a few slides uh about 20 years ago as a pentester I was asked to give a talk earlier this year um and this is the talk I've been giving it quite a bit uh it was I gave this talk in San Antonio back in

February and it occurred to me as I was putting this talk together it had been 20 years since I first went to San Antonio to visit at the time an organization called the Air Force information Warfare Center uh which which at the time was sort of the premier uh information security unit for the for the Department of Defense so I went there to learn but I'm getting ahead of myself that's I've got slides and pretty pictures and stuff that talk about that um I'm going to talk about Security today uh again I put this talk together mostly because as a as a an Oldtimer security professional and looking at all the breaches that have been in the news

the last year or two uh kind of got me soul searching really about gee are we really doing things right are we really doing anything better today than we have been 20 some years ago so I'm going to talk a little bit about why we're failing I'm going to talk about the solution I will tell you what you need to do to do security right and talk about the changes we need to to make and uh hopefully that'll spur some uh some discussion so we can have some QA time towards the end so I've been in the business a long time 30 some years uh spent sort of the first third of my career within the

dod uh and I've been out in the commercial sector for almost 20 years now uh started out as a pentester back in the dotc craze and did vulnerability assessments and security architecture work basically I was a consultant Hired Gun to come in and help companies figure out where their insecurities were where their vulnerabilities were uh very similar to if you went to the afternoon keynote the type of work that's still being done today uh and then somewhere along the line uh my my lifestyle caught up with me and I was sent to PCI Purgatory uh PCI is the payment card industry and I've been I I spent 10 years as a qualified security assessor or qsa so I was the guy that was called

to come in and do the the PCI audits compliance audits um my DOD background uh I actually got started at the National Security Agency as a crypt analyst um and I was in what was called the manual cryp crypto system shop the most secure crypto system in the world that cannot be broken is a one-time pad uh started with that I was in an office that was producing one time pads and other types of paper manual type crypto systems which came in handy years later when I became a pen tester and wanted to do things like password cracking and stuff like that so there was a tie in there um spent some time at NSA on on What's

called the operation side of that outs the offensive side of the house what most people know NSA for intercept intercepting the communications uh of other adversarial uh countries and and if you believe the the news recently also our closest allies um was there during Desert Shield Desert Storm which was that small Skirmish that we had 10 years before this longest war we've ever had which is you know going on in Afghanistan right now but then I got into um an interm program as a crypto analyst and ended up back on the defensive side of the house what we called at the time information security or infos SEC which is now I think they call it IAD information

assurance um and I was part of a group that was formed to do uh ethical hacking what we call today red teaming and was sort of in at the ground floor of that uh for NSA um just cuz this is a a hacker techie crowd I wanted to throw in a few extra slides slides at the very beginning of my career one of the first uh pretty much my first project was I I was approached by a customer that was using a traditional onetime pad and they said we've got these computers on our desk isn't there some way we could use it to do this encryption decryption process rather than spend hours writing it down on paper now these were case

agents that were comfortably in Allied territory but they were talking with people that were uh what we would call spies or earned agents that were back in those days in the Soviet Union and they would have the onetime pad fit in the heel of their shoe and they'd have to sneak their messages in and out but the guy in the office had a big tablet he had lots of luxury to lots of space to write but even then it took them hours to just create these messages or to decrypt these messages so we came up with a project of turning a one-time pad into what we called a one-time floppy we put the key and uh the the the digits

and the the characters that are written on a one time pad are key just like you can think about key today the key is used to combine with plain text to produce a code we put it on a floppy disc to my knowledge it was the first computer-based crypto system that NSA ever produced and they really didn't like us doing it because NSA was all about building little black boxes and and uh one of my first advisers there said well you know there really is no such thing as software All We Do is firmware so anyway moved on uh one of the other things I did was Sim similar type of activity only this was for us

Special Forces they also used paper the the one of the a team members or the Delta Force members would carry a backpack with about 40 lounds of paper they used a separate onetime pad for sending message and they used a separate one for receiving messages and then they had another set of paper pads that gave them the the call signs the the the authentication that they used to say this is legitimate and um they were in the process of converting what they called their their base stations their Communications base stations to uh run on laptops uh and that was uh saving them a lot of space a lot of performance uh upkeep but again they needed to have

the the key that was essentially produced put on a floppy disc which is what we did for them um the way that the Special Forces guys used it was their algor algorithm if if you will is something called a visionaire square which is simply 26 slides of the alphabet against itself and by doing that you create unique three character combinations or what we call trigraphs and it turns out that when you do this there's something like 123 unique trigraphs that are formed and the Special Forces guys would memorize them so when they were encrypting and decrypting it they're doing it all in their head I was working with them trying to help help them work on these

systems and I didn't have it to memorize so I just came up with this little I just been through the crypto 101 history classes and learned about Cipher wheels so I said there must be a way to make a Cipher wheel that does the whole visioner thing and I did it I came up with one the first one I made was on graph paper I I uh rubber cemented it does anybody remember rubber cement when's the last time you saw rubber cement do they still make it I was thinking about that the other day I put it on cardboard I Put a Little Acorn pin in it cut it out so I I took it with me the next time I went out

to a Special Forces Unit to talk to them and do some training I'd turn my back to the people to write on a whiteboard turn around the thing's gone they were stealing it from me so i' made some more bring them out they kept stealing it from me so we finally broke down and said would you like us to make some of these things for you so we produced like 15,000 of them and sent them out and uh you know that was like in the late ' 80s and up until the last couple years in fact earlier this year I gave this talk and somebody after came up to me and says I didn't know you made that thing I

got one of those so I always will run into you know former Special Forces guys or I think they used them a little bit in the state department but they came to call it the wizzy wheel so if I ever if I ever meet a special forces guy I ask them if they've heard of a wizzy wheel nine times out of 10 they have and I tell them that uh I invented it and they either hit me at that point or they buy me a drink so it's kind of cool anyway um for a while I was a cryp analyst and I was really excited two summers ago Wired Magazine put out an article talking about uh some guy at CIA

headquarters that solved cracked the code of this statue kit doesn't really show up too well here has anybody heard of the this is called the crypto statue it's in the courtyard at CIA headquarters so early in 2013 they had an article saying that this guy at CIA headquarters had broken it tediously over like 10 years and then a few months later this article that came out and said that a bunch of to NSA interns had taken it the code down and broke taken it back to headquarters and broken it years before this guy from CIA headquarters had done it so I am happy to say I was actually one of those interns it's one of my favorite stories

that I never got to tell until Wired Magazine put it out in in in in the public realm um but we were kind of offended that this statue was at CIA because NSA is the crypto agency not CIA so anyway we we did take it back and they actually in the article they had a copy of a memo I had forgotten it but there was a memo written by like the director saying okay you guys can work on this but don't do it on company time basically and don't use any of the company Hardware you know all the super main frames that we have to do all the statistical stuff so we basically had to

break it on all by hand so um that statue contains four separate messages three of them were broken rather quickly nobody has ever broken the fourth one it's not very long so it's it's harder to break when you have less traffic to work with so to this day the fourth message has never been broken so the entire message that the the sculptor the artist that created the whole thing has never had his entire solution revealed he'll probably take it to his grave I don't know but anyway that's my days at NSA doing fun stuff and then I ended up getting into pen testing and vulnerability assessments that was also fun stuff um I mentioned that I went to

awick 20 years ago and that was sort of the G is of this talk um back then we didn't really call it uh red teing I think that term came along a few years later uh but we we did call it penetration testing we talked about having penetration envy and all sorts of fun stuff like that and um one of the last things that happened while I was at NSA uh we were we were trying to do some work for the dep Department of Justice in fact I just I just printed up some of these uh some of the letter in the correspondence between the Department of Justice um an organization called daa the defense Information Systems agency

and NSA um and this I I'll share this just because it sort of makes it sort of sounds like the whole it's related to the whole Snowden thing in that uh NSA uh is not chartered to do what NSA does or at least historically wasn't uh to US citizens us entities so the the idea of ethical hacking or red teaming or pen testing you know for all the good benefits uh for NSA to do something like that was kind of not something that we did so we had this months long process of getting all sorts of uh special permissions and everybody had to review it and lawyers and this that the other and um basically the Department of

Justice wanted us to come in to do some pen testing of their networks to tell them what their vulnerabilities were and it we were about 6 months into getting the authorization and we were this close to getting all the signatures and all the permission when I got a call one day saying we've been hacked and their website was to face does anybody even remember this it was one of the early ones uh I want to say it was in August of 1996 Janet Reno was the Attorney General they replaced her picture with a picture of Adolf Hitler uh they had a link to the Playboy page playboy.com was brand new everything was brand new back

then of course they put the swast up I don't know if you can read I don't even remember what George Washington said but I think he said something about I'm rolling over in my grave because of the state of security in the world today anyway um so I I was involved in early forensics exercises I mentioned Snowden because we actually got in trouble uh uh with our own um um lawyers uh general counsel because they were very concerned about we were doing this thing that NSA isn't allow owed to do even though we thought we had all the permissions and the paperwork and he mentioned you know this thing called The Church act haven't you ever heard of the church act you

might have violated it you could get the director thrown in jail and so on and so forth the only other time I've ever heard about the church act in history is when Snowden did his thing um they cited the church Act and the church Act was basically NSA did some things during the Watergate hearings the the the time of the Watergate Breakin doing surveillance on US citizens and some Congressman named church called him out on it and andate you know created an act a law that said specifically NSA don't do what NSA does to US citizens have I bored you yet because I haven't even gotten to my talk yet anyway so I got out into the private

sector I spent the first couple years doing consulting Tack and penetration testing which really turned into vulnerability assessment which really turned into security program architecture and development because nobody was ready for a pentest back then as the gentleman earlier was talking about and and somehow I ended up doing PCI and I was there for 10 years uh doing the qsa work trusted advisor basically doing a lot of teaching and a lot of Consulting and uh two years ago a little bit over two years ago a buddy of mine from tenable called and said hey do you want to be the subject matter expert for PCI at tenable why don't you come on over I did and here I am telling you

guys about the state of security today so I'm one of the the uh thought leaders speaker Talking Heads um has anybody heard of tenable okay if you haven't heard tenable announced this week we just got a a second round of investment funding $250 million it's it's phenomenal amount of money uh to be invested in in in a very mature industry vulnerability management and I only mentioned this to say that we're doing a lot of hiring if anybody out there is looking for a job definitely check check out our career page uh we're hiring hundreds of people all sorts of different positions I mentioned I was a qsa and I just want to put this up there to show

the the the different companies that I worked for I worked for a practice in the mid 2000s that for whatever reason we were the we were the the qsa group that was called in to help out the companies that had been breached in the mid 2000s mostly by the Gonzalez hacking ring um so some of those names are up there more or less prominently displayed um I've been to lots of different types of companies and this is just within the the uh within the structure of PCI uh obviously retail but there's also uh you know gas stations Banks insurance companies e-commerce companies web companies uh call centers data centers um you you name it it's up there there's

a lot of diversity and and you know you know card Brands themselves I've done work for so the ones that are kind of huddled in the middle are the ones that were probably in the news in the mid 2000s hopefully you recognize some of those names not to Pat myself on the back or anything like that but just to say that as a as even as a qsa I've had kind of a unique experience because there aren't a whole lot of people in the world that can say oh we were part of the team on the ground at Heartland days after their breach trying to get them back into the good graces of PCI so anyway let's move on where do we

stand today again this is kind of a retrospective on 20 years of being in the inter information security the Internet Security infoweb kind of business um and again I I I kind of started off writing this as of a sort of soul searching you know gosh are we doing better because you know 20 years into it what happens we got these major breaches and you know I probably need to update this with the what was the latest one a couple weeks ago talk talk um you know unfortunately we keep adding to the list of the breaches but what's working you know fishing attacks are working uh we still have issues with passwords not only weak passwords but shared passwords

and not only shared passwords but default passwords default settings does any of this ring familiar to you uh it keeps us all in business if we're in the pent testing business and then you know you know to add insult to injury uh some of the things that we've relied on for 20 years is is the building blocks and the tools we use things like the bass shell turns out it has vulnerabilities in it that are 20 years old um and what's what's different today technology is obviously a lot faster uh we're not just looking at hardwired networks anymore uh you know we're looking at virtual networks we're looking at everything's moving to the cloud now and

you know we're passing the buck onto a a cloud provider and trusting them to be more secure because that's the business they're in uh so we're Outsourcing a lot of this um it doesn't sit well with me I don't know how it sits with you guys but it just kind of makes me a little concerned um you know you think about what are the motivations of the bad guys what are the threats today whether you call them hackers or not or or you know if you get hung up on the names um but you know obviously they' figured out a way to monetize the data that they're stealing that's probably first and foremost you know whether they're doing

it for you know political activism hacktivism M or just simply to make a buck you know the threat is real and it's certainly out there and um you know as a p as a former pentester and what I always used to tell my customers they've got infinitely more resources and time to do what they do than what you're giving us in terms of time to try to figure out what's wrong and try to protect it so it's sort of the the deck is stacked in the favor of the bad guy if you will so why are we failing um this is a little a little bit my opinion but I I think it's I I believe in my opinion because

I've been in the business so long but I I think overall in this industry or in in in in in the business world there's this overreliance on technology uh we don't you know companies don't have the skills and the training they don't have the people that's one of the buzzwords around the industry these days the hacker Community the security Community there's a labor shortage there's not enough people out there that know what they're doing um so there's this for for many reasons there's a Reliance on technology and um you might have heard it said that there's no such thing as a silver bullet solution and I believe that and I ascribe to that but what

companies have done too often is they've gone out and bought every Sil Silver Bullet they can find so they end up with a whole magazine full of silver bullets and so they have all these things and they think that makes them secure now this list is a little bit biased cuz it's it's just strictly cuz I've had PCI on the brain for so long this is kind of a list of things that you need for PCI compliance to cover all the different security requirements but you know 20 years ago when people were starting to people companies were starting to get on the internet it was we have to have a firewall and shortly after that was well

you need to have intrusion detection or you need to have a pen test or you need to have um vulnerability scanning or you need to have you know what is it today the big ones a Sim solution you need to encrypt your data you need to have two- Factor authentication you need this you need that you need this and companies buy it they go out and buy all this stuff and where does that leave them I don't know but companies big companies are still getting hacked and still getting breached so what makes the network insecure to my way of thinking is is sort of a combination of they've got all this stuff but very often and I've seen this

time and time again as I've gone into customers and I've asked them okay what's the strategy here they don't know um they don't they don't have a written information security policy and by that I mean they don't have a plan they don't have a strategy uh very often companies they know they need to do something but they haven't really thought out what is it I'm trying to protect and where is it and to what degree do I need to protect it um you can argue whether compliance programs are good or not but the PCI again as an example has has done nothing if else taken a whole lot of companies that wouldn't ordinarily have done a

whole lot for security in general and they've ra they they've forced them to become more secure just because they've forced them to understand a little bit more what's going on in their environment um and that's really the push of PCI these days you know so it's a gimmick to get out of the business of PCI by Des scoping things but to descope things you have to know where things are so there's sort of this inverse relationship ship and there's this hidden benefit whether it's intentional or not of if you want to if you want to remove the scrutiny of PCI you've got to identify all the sensitive data in your network and either remove it or isolate

it to do that you have to understand where it is so all these companies that are trying to get out of the business of having to do this burdensome PCI thing are cleaning up their Network and 10 years ago 11 years ago when we first started out doing PCI stuff the data was everywhere and it wasn't encrypted and it was walking out every day on laptops by conscientious people trying to do work at home and they're plugging into their home networks and so on and so forth um I talk about the lack of commitment to security it's almost like a you know what's it's almost like ignorance and it's almost like apathy and everybody knows the difference

between ignorance and apathy I don't know and I don't care um you know depending on what the industry you're in uh and again PCI is an example they only do what they have to do because PCI tells them to do and they try to limit it you think of the healthc Care Community um some of the big breaches this year were healthcare companies if you read the articles about what was stolen it wasn't technically Healthcare information that was stolen so they might have been doing a great job of protecting the healthc care data might have been fully hippoc compliant doing all the right things doing everything they had to do but somehow these companies collectively were missing the

ball on they still had sensitive data and they weren't protecting it in a way that needed to be protected because they weren't looking at it from a different perspective so that all ties back to you know what's your game plan what's your strategy what is it you're trying to protect and why and of course uh I talk about decentralized Administration I don't know if you guys work for commercial companies or if you're working for Consulting companies advisory companies but um you probably are familiar with silos and how different groups are not talking to one another within companies and it happens within our industry as well I would very often go in to do a PCI assessment and

you have to talk about the firewalls in the network so you talk to the network guys and you get the network architecture you get the wire diagram and you'd find out where everything is and then you'd ask them okay well where are all the sensitive servers you know where's all the data on the network and they'd shrug their shoulders and say I don't know I just set up the network I don't know what the I don't know where the sensitive zones are so then you have to go to the server guys to find out how the servers are being built so you'd have talked to the Unix guys and you know maybe it's the Linux guys or maybe

it's the windows servers you know it was a different set of people and you talk to them about how they're building the servers how they're hardening the the OS and you they talk about that all day and then you say what kind of you know what apps are running on the servers what kind of data is on the servers shrug their head I don't know I just I just keep the OS running so on and so forth down the line even dbas they talk all day about the schemas and the structures of the databases that they're that they're in charge of but started asking them about what kind of data is in the databases I don't know I just set up the

scheme so there's a lot of willful ignorance is what I like to call it I'm just doing my job I'm just staying within my Lanes I'm doing what I'm supposed to do my light is green so I don't have to worry about it I think those those all contribute to why some of these big companies are failing and by failing I mean they're getting breached so on the flip side of that what does that mean we need to be doing um you know we need to sell the idea of security better both as an industry and both within companies um you know and and some of these ideas this is sort of a a you know this is a

collection of my thoughts and my my Impressions more than anything um but you know selling selling the companies on you know what are the financial losses or what are the financial inefficiencies cuz usually it comes down to Dollars and cents you know you can save money if you do this or you can U theoretically save money by preventing this from happening those types of things um when you start talking money that's usually when the management and the executives start to pay attention and certainly when they see it in the news having happen to another company that's just like them or just like you or just like us that's when they start to listen so what do we need to do what

really needs to be done how do we solve this problem um I am more and more convinced that what really makes a difference holistically is education and awareness more people need to be aware of what security is all about what it is and isn't within an organization and that ties into understanding that security is not a state that you achieve it it it's something that you do I like to say that security is a verb it's not a noun and understand understanding that means you are involved necessarily in in an ongoing life cycle or process you as a company uh are are engaged in this and how you begin to get secure is first understand where you are in the life

cycle and and then proceed from there and you know this is not meant to be a speech on security but um you know traditionally it starts with an assessment where are you establish a baseline Where is the sensitive data what are our critical business operations who has access to the data what third parties are we allowing to come in and come out of our Network and where what have we outsourced what do we own who's responsible who's liable um and take all that information then build your strategy build your plan and write it down that's necessary the policy aspect of things and then build your Solutions based on that based on having an idea of what you're dealing with

based on having a plan implement it for a while run with it and then test it that's when that dirty word audit comes up audit is measuring what you're doing against some sort of set of rules or guidelines or standards uh people always talk call PCI an audit it's not an audit it's an assessment because it's designed to have be a security professional qsa coming in and just doing a baseline of where you are now you do that several times and it starts to look more like an audit but the the audit aspect of PCI is you should have a configuration standard for all your servers but PCI doesn't stipulate what the the standards are it

says use one so you have to come in and find out what one are you using and then measure it against that and it's ongoing as soon as you're done a auditing and it kind of blurs between auditing and assessing you're you're constantly refining and updating and new vulnerabilities are exposed that feed all this this is really in some ways the definition of a risk assessment um I have no idea what I'm doing for time what's the time check uh you got 20 minutes oh plenty 15 20 minutes okay plenty of time so um intent having a system having an a systematic approach having intention of Designing and understanding where you are that's really the heart of what I'm

trying to say is what's needed and that necessarily needs to be written down in the sense of you don't need to have this you know Shelf full of documents or you know a file system full of you know PDFs of what your policy is and I used to see this all the time PCR requires your policies to be reviewed annually so I would very often come on site and the 50 documents had been reviewed one day the week before I got there you know all of them on one day had the same date yeah I knew that they weren't really reviewing critically what the things said and updating it they were just changing the date and sometimes I'd let that slide

and sometimes I wouldn't um but you know the understanding that you need to have it written down you need to have it embraced by your entire company to the appropriate level ownership having everybody understand what their role is and how they fit into everything and then understanding ultimately it's not just what Technology Solutions what Security Solutions do we need to have in place and then we can sit back and say okay we're done we're protected so uh let me blow through this what is an information security policy ofcom describing it it's your plan it's your strategy it's a way to justify expenditures it's the way to decide if you're investing in this or that you

need one of these or three of these or who gets what um it's a way to go before your your your you know whoever your budget committee is within your company to justify not only the Investments and technology is necessary don't get me wrong I'm not saying you can't do it without technology but understand what the role of the technology is understand that the technology is ultimately a tool but a well-informed Workforce and staff especially within your it group or your security group is ultimately what changes things um but a lot of people think well security policy oh that's just writing I mean you know if you're a developer how how how much do you love

documenting the code that you write nobody likes to write stuff down I think that's a universal truth um you know in the early days we talk about policies and and you know the firewall rule set in the early days was referred to was the firewall policy you know the configuration well that's not what we're talking about we're talking about that overall guide that overall strategy that dictates how everything is accomplished and how everything is implemented um yeah as I said it a policy helps you build a business case uh you know companies are businesses most businesses are run by people that understand business and business processes so putting the the need for security within your company in the

language that the business people understand is key um again you know the compliance requirements really help I used to come in and just whisper hey I know you know what's wrong with your network more than I do what do you need cuz if I slap PCI on it guess what you're going to get it and they're like really I'm like yeah really test me on this and so we'd test it and they'd get it and they're like oh you're my best friend cuz I had this magic Cape that if I said they needed something the management didn't understand but they said PC we want it to go away blank check where you can have whatever you

want so that you know that's a little trick you can do hopefully internally as well as uh if you're in in a Consulting role um you know when you have it written down when you have a strategy when you have a framework everything kind of runs more efficiently and everything works better and things start to happen and again I keep can't emphasize enough it's not all about just throwing technology at the problem um why L efforts fail because nobody does everything that I've just been describing basically that's my my uh synopsis of that trying to keep moving um the keys to success changing the corporate culture I was talking to a healthc care crowd a couple weeks ago

and they were saying that's the number one problem within the healthcare industry is convincing doctors that they need to have a password and they need to use it and they need to change it because doctors are not accustomed to being told what to do so they've got this incredible culture problem within the whole industry that they're trying to shift they know they want to they know they need to they don't want to be the next anthem of the world but they're still faced with this cor corporate culture this cultural problem of ah we don't want to do security it's too hard or it's too inconvenient um so there needs to be buying from the top down uh the lay the

line employee the the the the you know the regular workers within a company they need to see it being done by their bosses and their Executives uh cuz if they're not walking the walk they know oh it doesn't really matter and uh you know that means the CEO can't turn over his password and his email accounts or these days it would be his uh mobile device or his tablet to his secretary or as an executive assistant and let her have access to it and let her take it all over the place and rely on her to keep it secure so on and so forth so you know the first question to ask yourselves if you're working for a

company or if you're advising companies is to try to identify where you are within this life cycle so you can proceed from there now for my punchline the the heart of this presentation that that you've just seen is verbatim a presentation that I gave when I first came out into the commercial World 18 years ago haven't changed a thing threats and motives nothing's changed life cycle nothing's changed so now I ask you and this is where we hopefully get into a conversation to dialogue if nothing's really changed what needs to change if and I'm not saying I was cornering the market on thinking this is where security needs to be 20 years ago the the industry was saying all of this

20 years ago security practitioners have been saying this all along nothing has ever changed so again this is my opinions and trying to Summer up a lot of ideas and a lot of frustration of gee how as an industry do we do better better but I I think if if you're in a Consulting role or if you're within your own company you need to help try to understand and identify First what the problem is and and that sounds so basic but a lot of companies I've been to they don't understand what it is that they're trying to protect or what it is that they're trying to protect against they know they need a this they know they

need a that why I don't know why I just because I need to check the box um within our security industry I think we're culpable because most of the security industry is driven by vendors and vendors are selling Solutions and do I say it on this slide or the next slide but vendors lie uh I used to see that all the time as a consultant uh and then I became a vendor and I realized well it's not always the vendors are lying some of them are conscientious and well-meaning but they're as ignorant and uneducated and uninformed as everybody else so they think they're saying the right thing they think they're doing the right thing they're using the buzzwords

or put it in 2015 terms they've got the latest logo of the latest vulnerability so they think they're solving the problem um we need to break down the the the we need to break down what the problems are to simple issues that can be that that can be digested and security is not really that complicated it means you have to be paranoid and you have to assume that things are going bad and you have to watch your network and you have to know everything that's going on so you can see when something weird is happening cuz the something weird probably means something bad is happening and we need to communicate more within the industry within companies we need to

break down the silos and the stove pipes we need to stop thinking well my light's green and so I don't care whatever else is going on no you have to understand you play a role in in an ecosystem and you know maybe you're a cog in the machine but you're an important Cog in the machine um there it is vendor lie and it was in here somewhere everybody's selling something and and you know this is a multi billion doll industry this whole security industry that's mostly predicated on buying and selling Technology Solutions there's a little bit and I come from the Consulting side of you know there's also buying and selling advisors and the education and

the awareness and I have a bias but I think that's what we need more of we need more educated consumers uh making the smart purchases and the smart Investments and also being able to smartly use the technologies that they necessarily have to buy so again Define the problem education and awareness I think those are at the top of the list which is all just at you know we need to talk we need to educate others you know you guys know more than I do I know something about something that you don't let's keep talking it's why bides things are so great but we're still sort of this one little Silo within a community you know you need to

go out and talk to the IT guy you need to talk to the DBA you need to talk to the business person uh and and we need to stop calling everybody that doesn't understand it the way we do stupid or ignorant or uninformed and educate them um because there was a time when we didn't know it probably um so you know I I think there's a certain amount of ownership that we need to take as an industry and take responsibility for our role of action or or in action in why we've gotten to this place so again security is a verb it's it's a lifestyle it's something we do and uh it's starts with you be the

change that you want to be or you want to see um set aside the you know there there's not too much arrogance or anything like that in this industry um but we need to be humble and we need to teach we need to if somebody doesn't know explain it to them and explain it to them in a way that they can understand it um and the best way to learn to communicate is to First shut up and listen I've learned um people talk about this this whole industry being a game and gaming is certainly a huge part of the industry I I tend to think a bit more of a puzzle because puzzles have Solutions there might be more than

one solution there's not always one just one size fits-all solution but there's usually a solution out there to whatever the problem is or the puzzle and the puzzle is not just how do we fix a problem the puzzle I'm talking about is how do we fix this industry there's ways to do it and I'm not saying I have the right answer I'm saying I have ideas of what I think I think is where we need to be going um good communication building trust um it's going to take time um and so on and so forth questions comments wake up yes sir I just I just had a comment um you're you're saying that security um um

I I was kind of thinking over a paradigm of of the police academy movies and you know how Lieutenant hooks was always the softspoken person until she got really upset and then she started to be more voiceful and I always think that security Now is always that her character of I'm going to be softspoken and security security and um you kind of made it like a present presentation of yeah let's you know be but a little bit more voiceful and loud about you know our jobs because a lot of people don't care about security it's all about dollars or it's all about just you know we we don't care if if somebody hacks us it hacks us or you know Stow comes

around and says all this crap and yeah it happen and yeah I just I I I kind of learned to make that point that you're just you made that you know go out and be more voiceful and say hey we got to care about this because down the Road you know you know you want to avoid those things and if you do then you make more money right you don't have these problems right yeah I mean the biggest soul searching I've been doing over the last year year and a half is like you know is any of this worth it are we you know I like to think that I go into a customer and I make a difference because

I come away they're a little bit more secure not that they're secure but they're not going to get hacked tomorrow um knock on wood none of the companies that I worked with you know the last 10 12 years have been in the news recently now unfortunately a lot of them were my customers because they had the week before been in the news you know uh Far and Away too many companies get it get it they get religion because they get breached and then they start doing things you know then the the the purse strings open up um so I you I'm fighting this feeling of what you know why am I even bothering what's it all worth but I

haven't given up yet and I think we truly need to do something different cuz we've been talking as an industry about we need to do something different for 20 years and we're still doing the same thing yes sir so um do you think as a qsa that PCI ESS is doing enough I mean know we all know we all feel we know that it's a basic kind of security we've seen companies that have had PCI assessments perform and yet they've been breached and um you know so are they doing enough and and should they doing more and you know what is the value of having an ASV and not something along the lines of having some sort of

certified pester because I think we all get into where pentest means a lot of different things right and I think a lot is happening with the check check box pentest so any thoughts on that so let me rephrase the question for the um for Artu for preservation sake um you know is the PCI DSS really doing anything good is it worth it or should companies be doing any other things doing more should be doing more some worth there but so more um I actually do have a very strong opinion on that I I think one of the the nuanced difference I think the PCI Data security standard as a security framework is outstanding does it need a

little bit of refreshing is it is it keeping up with the changing in technology not necessarily I'd say no but as a foundational security framework it's covering all the bases what is what has been done with PCI in terms of enforcement is where it becomes viewed as a bare minimum approach in fact I'm getting ready to write a blog and probably make a few enemies the the the new uh director of the PCI community meeting he quoted you he was quoted as saying it's just a point in time assessment I think that's a bunch of crap because if you're actually doing what the PCI standard says if you're actually compliant with it that means you're looking at logs on

a daily basis on an which necessarily means probably you're using some sort of Technology Solution that's automating it for you you're doing patch installation uh within 30 days of release of the patch you've got a vulnerability program that's looking for vulnerabilities Nobody Does that everybody relies on the scanners right I work for a scanning techn ology company or you wait for the vendor to come out with the patch and that's where the fire drill starts but you know so your the second part of your question is vulnerability scanning or an ASV versus a pentest um I would love to have had a a a panel discussion with the keynote beforehand um and I have a

presentation that I talk about pentesting uh you know if somebody's drops dead I can fill in and give it to them later this afternoon uh in this day and age of pentest Tes in nobody ever defines what it is what is a pent test what's the purpose of a pent test what a pent test typically is 99% of the time is it's a vulnerability assessment I personally believe because I used to I used to be the guy that said oh you know I found the same problem I did the last time years before well that means that could mean they're not doing their job it could also mean you as a pentester aren't doing your job either because

you're not educating and providing the justification for making the change but in today's age a pent test should really be not vulnerability based at all uh because take PCI as an example you've secured your network you've secured your systems you have patch Management in place you've got vulnerability Management in place you're doing an annual risk assessment you're scanning at least quarterly and and they're they're saying you get a clean result at least quarterly which necessarily means you're scanning more often than that you're doing an annual pen test you're doing all these things where was I going with that my blank my head and so you get to the pentest the pentest shouldn't be finding a default password that should have been

picked up already it shouldn't be finding a misconfiguration that should have been picked up already it shouldn't be finding the missing patch that should have been picked up already what a pentest has always supposed to have been is you've put the secure things in place and then the pentest is is used to find out what your missing were to connect the dots on things that are necessarily out there so essentially a pent test should be threat based it should be emulating what the bad guy is trying to do to break into your network and can you detect them and can you catch them so it should all be about the threat it shouldn't be vulnerability based at all

if you're writing if you're a pentester and you're writing a report and your result is you're missing a patch I'm saying it's a bad pentest your result should be you've got a broken process that's allowed a system to be out here without this patch being installed that's been out for 750 days or whatever it is and what's wrong with your process for the last three years that didn't detect that this patch was missing but I think there's also a fundamental problem sorry okay question there's a fundamental problem really with uh you know a client going out hiring directly for a pentester when the client controls the Rules of Engagement yep because a pentest should should really show um

real business risk yes and if the client says you can only look at this one aspect and you can't go further and HIIT and well and I haven't pent tested in a long time but as a qsa I had to review a lot of pentest reports I used to get into arguments with my own company's pentesters because one of their favorite findings was and it was a critical finding was they found an FTP server I'm like well did you exploit it well no I just found it it was the nessus result I'm like okay I know that FTP is an open protocol I know that there historically problems with FTP servers I used to exploit them um but did you have you you

know they've they've kind of come a long way and and in fact in the early days uh you know the the FTP was a good Target as a as a as a server because it contained all the users and passwords user IDs and passwords for the domain for the network so if you could knock over the FTP server which had lots of vulnerabilities and or if you could scan or sniff the the traffic the logins you were getting the credentials to get into the domain most companies don't run them like that anymore most FTP servers are sandboxed you know most and of course not all um but they but again you should know not to use your same password on an

FTP server as your domain password does doesn't mean people don't do it but if that's a finding if you've exploited that that's something where you go back and say you've got a broken process because you're not educating your users to keep them separate time's up okay um let me move on are there any other questions we can take this up at the later on yes sir all right so you had a slide that you showed in '98 yes so with that being said we're almost 20 years what improvements have you seen in 20 years like is the bsides community and the community coming together uh an improvement is there more dialogue I think this is a potentially

good thing and and the fact that a different set of people that don't usually have a voice are getting together and talking about things I think is a good thing I I think uh we need to learn more about what the different is because all I keep hearing from the Keynotes is the same old you know we're doing things poorly we need to do things differently but it's always from this sort of perspective that the be all end all is the pentest it's it's the hack and truly I mean if you've ever felt it the the the commercial world the business World they don't care what we're saying because they they're they're making money hand over fist and they're willing

to pay the price of the occasional pop here and there I was at a I was at a risk seminar last year where somebody from Visa stood up and and part of his presentation was he said it costs Visa 42 cents uh in terms of fraud loss for every $100 that's transacted on a Visa card and I'm sitting there thinking I would pay a nickel for every $100 I spent to not have to do all this who wouldn't it's like why are we why are we even bothering of course you know Visa spends gazillions of dollars on fraud prevention to get that number down but that's what they've gotten it down to it costs them a nickel for every $100

that's transacted on a Visa card so as a quick plug and we'll wrap it up my next talk that I'm doing in in the evolution of my thoughts and I hope to do it a couple bsides next year is uh an attempt to teach us this community how to communicate and get our point across better because we're great at talking amongst ourselves but we don't typically do too well talking to what I've heard somebody refer to as the Muggles which again is something we need to stop doing um we need to learn how to speak the language of business you've heard that up up front but I'm I'm going to give a talk on it just based on my 20 20 years

of going into companies and having to talk to all sorts of different types of people and then ultimately I'm trying to put uh together a training course and you know my first experience at NSA that thing that I was talking about building a a a computer-based encryption system NSA had never done that before so I'm 25 years old having to pitch it to essentially the the the board of directors of the of NSA explaining to them why it was a good thing to do and why how we could do it securely and how it was okay for us to proceeded with that um I've never looked back from that I can talk to anybody any group because

as a 25-year-old I was P pissing my pants up there in front of all these suits grayhair you know much older of course they're my age now or I'm the age of them at this point but you know that was scary for a 25-year-old to do um how many of us have the opportunity to get up and speak in front of a group this is a great place to start that's one of the reasons why bsides exists is to give everybody an opportunity to stand up and speak learn how to talk to a group to individuals um there's a lot of really smart people around here with a lot of great ideas that we and as a group we

don't often get heard by others and there's reasons why that is that I think we can get get Beyond and again it's education it's awareness and it's training and its opportunity so I think I'm probably blown past the time so thank you guys and uh hopefully we'll hang out at dinner tonight and and talk more