3. Who’s The Hairy Thing?
Geek &
Dr. Dark
Web
Researcher Hacker
Dad
Chris.roberts@boomsupersonic.co
m
@Sidragon1 (LinkedIn AND Twitter)
Boom
Supersonic
4. Agenda
• Pat on the back?
• Y’all got a nice tick in the box...
• Why THIS talk?
• Isn’t everything ok?
• Audits
• Breeding like rabbits
• Choice
• Choice IS good, too much choice corrupts
• You
• The authorities...
• The businesses
• Passing the cost along
• So, what next?
• ...
6. You Ticked The Boxes...
You have a security posture
You integrate your teams
You have digital cybersurveillance
You‘ve passed audits
You’ve done your awareness training
You have a trustworthy system
You use encryption
You have good security folks..
26. I MEAN Booming!!
• The global average mean time to identify a data breach is 197 days.
• The mean time to recover from a data breach is around 70 days.
• 76% of organizations were targeted by a phishing attack in the past 12 months.
• 75% companies say a data breach has caused a material disruption to business
processes.
• The global average cost of a breach is around $4m.
• We are losing an average of 22.5 million records a DAY.
• Statistically you now have a 33% chance of being breached in the next 24 months.
• USA is still the most popular target, 57% of breaches, 97% of the data...
67. Reality!
• It takes 1 minute to convince you to hand me your email…
• It takes 1 free offer to get your phone number…
• It takes 1 time to get you to click an email…
• It takes 1 connection with your Bluetooth or wireless…
• It takes 1 guess to work out you re-use your passwords…
• It takes 1 minute with your unattended electronics…
• It takes 1 connection on your social media networks…
YET…
• It takes 7-20 times to get through to you about awareness
69. Communication: Take time to exchange ideas with
each other…
Cooperation: Independent goals, with an aim to share
data
Coordination: ALL rowing in same direction for once…
Collaboration: The whole is greater than the sum of its
parts
86. Assets, what do you have?
Assets, where are they?
Who’s got access to them, and why?
What DO they do, what is their purpose?
What’s on them?
Which ones do you need to care about?
87. When NOT What if…
“…million-to-one
chances… crop up nine
times out of ten.”
88. Closing
“I know you won't believe me, but the highest
form of Human Excellence is to question
oneself and others.”
89. Feeling left out?
Feeling helpless?
Feeling like you want in?
THEN TALK WITH PEOPLE..
Anyone around you!
Everyone close to you!
ALL the people...
90. “We may have all come on different ships, but we’re in the
same boat now”
Martin LutherKing, Jr.
Good Morning, thank you for having me, and welcome to a slightly different approach to explaining what IS going on in the industry AND world around us all. You ARE going to have a LOT of people talk with you about ALL sorts of issues from maritime, to smart weapons, to EMP’s and how the world is basically wanting to take us down....
HOWEVER
FIRST we have to solve OUR OWN problems, the fact that WE are doing a piss poor job of looking after ourselves AND each other... THE Fight within....
This isn’t going to be nice; it’ll be blunt, informative and should make you think about things the next time you go near a keyboard...
Moby Dick:
Because MOST of the security industry is chasing “around” 31,000 larger enterprise sized companies for their business. The list is well known, circulated and targets are on the backs of ALL the C-Suite, most of the technical folks and the MSP/VARS that support them.
Yes... This IS a thing.... We now apparently pat ourselves on the back for being bloody unicorns...
The global average mean time to identify a data breach is 197 days.
The mean time to recover from a data breach is around 70 days.
76% of organizations were targeted by a phishing attack in the past 12 months.
75% companies say a data breach has caused a material disruption to business processes.
The global average cost of a breach is around $4m.
We are losing an average of 22.5 million records a DAY.
Statistically you now have a 33% chance of being breached in the next 24 months.
USA is still the most popular target, 57% of breaches, 97% of the data in last 24 months
Welcome to the root of ALL.. The humble tick in the box
You know the ones...
Do you have a firewall?
NOT is it out of the shrink wrap or anything
Dammit, now they want to know IF it’s actually turned on
The Security industry circles them like packs of hyena or vultures waiting for one of them to fall, get breached, or for a vendor to be thrown out… pouncing on the fresh kill with glee…
SOX, SOX2, Healthcare, PCI, FERC, NERC, NIST, CMMC, Etc.
One wants to know IF we have something, the other wants to know what color it is, and CMMC want’s to know IF it’s plugged into the Pentagon...
PC can only use QSA’s
SOX needs accountants and lawyers
CMMC wants it’s own folks
FERC and NERC needs wizards with magic misslies
Etc.
You can only join OUR club if you “fit” or pay enough....
Elitist anyone?
Sorry, not enough time to tick the box, have to build our auditing empire and take over all the others......
Welcome to the bastard children spawned from Vulture capitalism and DEFCON
We’re short millions of people
We’re minting millionaires daily
We’re attracting millions in investment weekly
Etc.
2021 anticipated numbers....
Not content with keeping stuff in one place, we have devised MORE ways to spread it all over the place, now we hide it all over the planet consuming great quantities of energy (BitCoin alone consumes enough energy to almost make it into the top 10 country list of energy consumers)
Where one goes, the others follow soon after, think of us as a plague of locust.
Used to be web-app-database.
hahahahahahah
An example of adversarial perturbation attack (deviation) used to evade classifiers… (other include cats to dogs, and STOP signs to SPEED signs…)
We modified 0.005% of the data in the image.
AND with about an hour inside YOUR environment I can turn Javelin, Carbon Black, AND Clownstrike against themselves and DoS your own systems.... (2018/2019)
Each of those layers has it’s own tick boxes, own challenges, own regulatory bodies and ways that they need to be used/adhered to/worked with/managed/reported on....
Ah, yep, this one… IF I speak nice words to it OR sacrifice the odd intern to the computer room it’ll all be ok?!? This ISN’T going to work, you can’t ignore that Windows 95 system OR BYOD any longer.
Oh yea, incase anyone forgot Compliance does NOT equal security, it’s a fallacy and one we sell to companies AL the time
Yup
Even though you purchased the EDR, XDR, EIGRP, NAS, NAC, IDS/IPS, DLP, HIDS,
Heck you got acronym soup and your shit’s still insecure.....
Who us? We might have mentioned 100% protection BUT if you read the fine print you’d realize that only IS the case in a controlled environment.... Which means IF you turn the computer on you’ve voided the warranty
Accountability anyone?
Ah, well what we say and what we do ARE two different things....
CAN I offer you hostage (I mean ransomware) negotiation services?
How about Incident response prepay?
Or a discount on your next hacker proof piece of software?
No perimeter
No barriers
No control
No asset management
No basics
No chance.
Because...
Attribution sucks.
Bad attribution is brinkmanship
Really bad attribution is war
(although we’re already AT war, just nobody want’s to tell the Internet)
Why get a pittance for bug bounties when I can make bank selling the exploits to our own government (or someone elses)
You don’t listen
You are a ONE way street
The intel you share is stale
AND the very people whom you SHOULD listen to, you alienate for the most part
Your field offices are a joke
Hi, this is the FBI, look we’ve been watching your computes for a while, they got breached and we’ve been using them to gather evidence, hope you don’t mind leaving them on......
Really?!?
You care about prosecutions and headlines, not helping.
Might as well get some, nothing else is going to help, so at least WHEN I get breached I can go drown my sorrows in good whisky and bourbon OR tea.
Let’s have a frank discussion… this IS where many of you are at!
Another work of fiction coming up......
Take a leaf out of the Visa/MasterCard book of business, charge the banks, who charge the companies, and they in turn charge the consumers for all this additional overhead....
At the end of the day the patsy/sorry customer will pay, they don’t have a choice.
Apparently MANY of you don’t think you do...
OR that the cost OF putting that tick in the box is too high, so might as well just fly under the radar OR respond to ALL the requests with “working on it” and send the same plan to everyone, after all who the hell checks....
Don’t even THINK of playing this game!!
Welcome to 2021, the insurance companies have woken up and are finally NOT always simply believing your SAQ works of fiction... That checkbox is now going to be examined and woe betide you if you’ve lied.....
Although, lets face it lying IS part of commerce apparently
Got found out?
Got breached?
Got a smack on the wrist coming up?
LEARN how to cry in public and apologize (or appear contrite)
Free first lesson, heck we know you’ll be back.
Money talks, and in the trifecta of our industry nothing talks louder than reoccurring revenues. What better way to generate those venture capital multipliers than to lock an entire population up and subject them to a battery of tests, exams, checks, probes, assessments, along with reams of paperwork? What’s better? Not just to do it once BUT do it quarterly, heck even monthly in some cases. Oh, while we’re at it lets increase the revenue streams by dividing the pie up... we can call it data, show folks how each different element needs its own set of checks, balances, and folks crawling ALL over your systems on a regular basis. We ALL win, heck even the consumer wins... They get free credit reporting for life!!
Lets face it, YOU aren’t going to change a damm thing by chasing one criminal at a time, YOU won’t fix anything by hassling US the hackers, and you won’t stop taking people’s money... So yea, go ahead and ignore the tick in the box, nothings REALLY going to happen TO you.
Heck even GDPR can’t get its shit together and we has high hopes for that.... There’s a queue of folks waiting to be assessed and not enough hands to go round...
Good question, the general population’s not woken up
The industry’s making bank (360 billionaires and counting)
You’re not making progress
The adversaries appear to be happy to just bleed us slowly and not kill us (yet)
So, yea, probably, at least until I retire, then someone else can deal with it...
Let’s look at some options....
Stop bloody fighting it with red tape, compliance regulations, and bullshit that slows things down
Best Buy? MicroCentre? Craigslist? Or go out onto the job market to compete for talent, or bring in an MSP/MSSP? How do you even benchmark them when there’s no Angie’s list to even evaluate them against? What questions DO you ask, HOW do you contact them, choose one, and what the hell is a bake off?
Let’s face it, that’s not likely to solve ALL the issues, so how DO we change things?
This is one of the core one, you get sold that perfect solution ONLY to find when things go wrong it’s NOT their fault, have you EVER read that agreement, that software license OR the contract that basically says it’s all YOUR fault, we get you coming, going AND in the middle AND then when it all breaks, we charge you twice as much to fix it all back up and start you again…
NOTHING is 100%
NOBODY can “keep you secure”
ALL we can do (IF you listen and/or accept help) is to reduce your risk
ALL we can do is educate
We HAVE to reduce the complexity within our offerings!
Too many screens
Too many things to go wrong
Too many things to forget AND not enough hands to go round let alone catch it when it all comes crashing down
In our industry we are great at talking, at explaining ourselves AND we do it in a way that nobody understands ½ the time….
Talk in English or your native language
Listen with BOTH ears AND shut up once in a while.
360,000 NEW pieces of malware, viruse, trojan, programs every day.....
Kali is the Hindu goddess (or Devi) of death, time, and doomsday and is often associated with sexuality and violence but is also considered a strong mother-figure and symbolic of motherly-love
Don’t feel like spending days or weeks dealing with assessments, vendors or other things, how about a nice simple game of D&D for business… How about throwing out a few scenario’s and seeing HOW you would fare?
It doesn’t always end well, BUT at least it’s happening in a TAME environment!!
I cannot over-emphasize this... Seriously the only way WE ALL win is if we work together!!
FBI take fucking note!!
Evaluate VENDORS BEFORE you bloody sign up!
Because this IS how much some of them care about YOU!
Yea, that “we consolidate into a single pane of glass...”
You ARE allowed to taser vendors.
SIMPLE THINGS!!!! STOP Complicating it, STOP wrapping it in red tape!!
The Late Sir Terry Pratchett. It’s NEVER “what if” or ”never” or “maybe” it’s got to be a Plan for WHEN
No matter what I say, what I’ve said, no matter how I’ve talked about it, many of you won’t do anything, some of you will do a little and hopefully ONE or two of you will do enough to NOT end up on the wrong side of an incident in the near future. For those of you who don’t do anything because security problems only happen to others, then I wish you luck, and will see you soon enough.