Infosec and me

Attending the 44CON this year lead me to take a significant step out of my comfort zone in that I feel safe in virtualisation conferences, will boldly walk into a room and where appropriate introduce myself to someone new. But this event was something so off skew to my usual format I had to rely on inquisitive nature to lead me rather than confidence in a subject matter. Please note, I’ve not written that I’m a subject matter expert ;-). The event was truly an eye opening bombardment of Infosec content from speakers, to classrooms, to sponsors. In my previous post here I set the scene of my intentions of what I wanted to learn so I won’t regurgitate it again but it’d be reasonable to surmise that the words ‘secure’ and ‘cloud’ shouldn’t be used in the same sentence.

This blog post captures my first day at the conference, things that caught my eye, grabbed my attention and pulled me under. I’ve dumped out some of my notes here of the sessions I attended but of course not in their entirety, there was simply too much to take on board – as you’ll see by some of the fragmented wording.

There’s a summary paragraph at the bottom of this blog post so if it’s all too much to read then skip to the end.

Keynote

The keynote from Adrian thanked everyone for their attendance and support in making the CON a success and covered off the uptake on the classroom training completed in the days leading up to the event. The sponsors were name checked for their contributions from financial, to presence, to provison of Gin, to prizes. Speakers were warned to watch their time slots and should they overrun then to be mindful the use of the flying ‘nerf-o-tron’ (an adapted indoor radio controlled helicopter with nerd gun upgrade) would interject. The Call for papers had totalled over 250 submissions from all over the world covering a wide range of topics. Antarcticica was cited as the only continent where nothing was received from, “…perhaps next year…?”. Finally the capture the flag (CTF) competition was announced inviting teams to sign up and compete against each other to win tickets to next years CON.

Sponsors

Just a quick word about the onsite exhibitors and sponsors as I’ve mentioned them; they were friendly and approachable which I found to be a stark contrast to other events I’ve attended in recent years. Paying for an area to tout your wares draws attention but it’s how you deal with the individual I watch for. The vendors seemed calm, happy to discuss technology and conducted themselves and promoted their brand professionally. (Other vendors at the large mainstream conferences please take note).

A talk about Infosec Talks

Keynote over and Haroon Meer (@haroonmeer) from Thinkst took to the stage a presented a session entitled, “A talk about (infosec) talks”.  It challenged the value of the large quantity of Infosec CONs that were globally offered last year, which equated to 1 a day delivering an average of 15 sesssions per day. Many angles were covered but key points that were raised suggested that with too many CONs there is likely to be many repeats and the quality of speakers may not be to the audience liking. The value of the conference is then in jeopardy as it stalls the value of the content. Is this the speaker’s problem or the organiser? Further discussion leant this more toward the organiser and their due diligence plus pressures applied from sponsors to shape content for return on promotion. Research is now revealing that there’s a new trend in smaller CONs which resonates with many as a positive thing. Big events command high entrance fees and travel expenses opposed to local events are often offered for minimal cost or even free. Greater quantity of geographically dispersed events offers the opportunity for more people to attend with little issues in arranging time away from the office or expense. Smaller events provide opportunity for up and coming speakers to pave the way upward. The downside to the smaller events is the signal to noise ratio is often far less. Other topics that were touched on related to the content and how it was delivered, whether it cited formal references and to what purpose, how it made you feel and for you to be mindful of the use of the content you takeaway. Just because you made notes from a respected industry person doesn’t make you an expert by regurgitating it.

Anyway, I made a lot of notes from this session and certainly won’t attempt to summarise the rest of the content – you’ll be pleased to know :).

Note: The main sessions were recorded for post conference viewing and DVDs will be made available for purchase from the http://44con.com website soon if you’re interested in watching them.

Context Clues

From this 147 slide epic session I then moved toward a classroom session from Michael Viscuso and Ben Johnson from Carbon Black. The session opened talking about the approach to cyber attacks and how using our ‘prevention play’ tactics is dead but there are other ways. Global anti-virus companies make decisions about their product promoting that a single install will cover all eventualities but as we know this simply isn’t the case. How do you protect your company? Say ‘no’ to everything? Well that’s simply not going to work, users always find a way.

Tracking down threats and assessing their viability of a reality can be broken into four headline areas.

  1. Visibility – do you know what’s going on in your environment? How many versions of the same product are deployed? – A threat to one version may not be a threat to another.
  2. Metadata – do you know your environment? Use your data to consider what you think is an anomaly. This is where the global anti-virus companies can’t help you.
  3. Frequency – Irregular patterns of activity don’t necessarily mean there’s a problem. If you have a grasp of your metadata you’d know whether it was a problem.
  4. Relationships – Combine the three topics above to create a relationship mapping and then you have far more intelligence than any one global anti-virus company would ever know.

Zero false positives and zero false negatives is far more achievable with this style of approach.

The session then broke into a classroom exercise. An environment was provisioned using real world anonymised data of discovered files and it was from there the attendees had to review the versions, the frequency and relationships to each other to elaborate the points above but by applying a human identification approach. What made this exercise fascinating for me was how my thought process changed as I moved from one stage to the next and that the 2 guys I worked alongside with also challenged some of their previous decisions. Collectively we challenged each other as well as ourselves. Gut feel and experience (the human touch) meant we achieved a higher success rate but the further we proceeded through each stage our ability to remember previous decisions lead to a far reduced outcome.

A thoroughly enjoyable session.

Culture & CNA Behaviours

My next choice of topic was an overload. Knowing what I know now about the content and how much it made my head hurt wouldn’t stop me from attending it again. It was just too much for my little head to comprehend but as the session was condensed from 3 years work into 90 minutes looking back now as I write this, it wasn’t a surprise.

Char Sample discussed Culture and Computer Network Attack behaviours. Much of the talk was based upon her recent work and discussed Hofstede’s cultural dimension framework and how much of this assisted and provoked more questions in her studies. Out of respect for the level of depth in the work Char has completed I’ll just impart a few areas that really stood out for me.

The opening gambit posed the scenario about applying new methods to old problems:

  • Rather than thinking about IP addresses think about what the attacker is thinking to give an idea of the next move
  • Psychological profiling provides mixed results and placing people into different buckets usually peaks at 10 ‘types of people’

Introduce the cultural angle and, as an example, how we approach problems evidences that we’ll all get the same answer but establish it in many different ways. Why? The way we’re culturally brought up and exposed to experiences shapes this. The definition of the word ‘culture’ in this session was defined as, “The collective mental programming of the human mind which distinguishes one group of people from another.”. Another everyday analogy was offered relating to football and The World Cup. Every team plays football but they all do it differently and at times it’s clear to observe. The session continued discussing many cultural facets and how we’re moulded into a way of functioning throughout our lives, and that the influence of culture in cognition is inescapable and habitual. An example comparison was thrown out to the audience. Eastern culture takes more of a holistic approach to problems with everything considered to form an answer opposed to the western approach is to do what’s needed, fix the challenge and move on. Applying this thought process to software development could assist a would be attacker to consider the originating development team location and style of code creation. Perhaps an initiative is needed to offer code reviews within designated Universities to understand what role cultures and personality play with blind spot and bug introduction.

A very deep session that provoked many questions from the audience and opened up an area outside of the typical offensive / defensive stereotype attitudes.

Cyber Defence or Defending the Business?

The session delivered by Bruce Wynn focused on the pressures and challenges of how areas of the business are forced to make important decisions about Cyber protection but how it can often lead to a distraction and oversight in protecting the business itself. The content at times resonated with recent discussions I’d been party to and as a result drew me into the session further.

There’s a perception by some that applying a traditional technical approach using penetration testing, AKA ‘pen-testing’, would be a one off exercise and would mitigate all concerns once issues had been addressed. That is of course not the case and in many respects could be seen to be opening the door to wider abuse. Penetration testing provides the ‘tester’ with a full report of your organisation’s technical vulnerabilities and so presents immediate areas to consider:

  • Are you using a trusted and known company or an independent contractor?
  • What happens if the recommendations aren’t implemented for a period of time?
  • The trusted ‘pen-tester’ has opportunity to gain access?
  • The trusted ‘pen-tester’ has the responsibility to keep the information safe, but what if it’s shared internally?

Assuming a test has been undertaken and identified issues addressed, where’s the update cycle?Baselining to a standard version or design in itself places an organisation into a known published state. A level compromise will always exist and there will always be a need to update or upgrade.

Know what you have

What’s important to your business? An example was discussed openly in the session of a well known brand & their products. When the audience were challenged as to what we thought the most important aspect of their business was no one managed to provide the correct answer. In the context of the discussion it had nothing to do with the product or it’s design. In fact it was the financial aspects due to the nature of how the company trades. Until the right questions are asked you should never assume what’s important.

Where third party supply chains are involved are you able to trust the suppliers? What about their suppliers? You may pass confidential information to a close provider but can you ensure that information doesn’t leave their environment? Keeping your own house in order is of a course a must. IT System Administrators and Security Team members have varying degrees of privileged access to the heart of IT systems for internal and external functionality.

This was my last session for the day and was certainly a good way to bring it to a close.

Closing Keynote

Back in the main hall Adrian closes the conference day acknowledging its success, the over-subscription to certain sessions and that all the Tamagotchis had been sold – there was a classroom session devoted to dropping code and executing it on the furry little devils and revealing their data and stories they reveal. :-o

In a complete ironic moment the CTF day 1 results were announced and the leading team were openly shamed and deducted points due to their ‘hacking’ of another team and deleting of their data. This generated much mirth amongst the audience.

On then to the party.

Summary

Having completed my first attendance at an Infosec conference and not knowing quite what I was letting myself in for I have to admit to being a little hooked. Dipping my toes into a topic so far out of my usual daily routine it could be challenged that it’s most probably more of personal interest than work related. I’d counter that suggestion. Knowing a little more about Cyber activity through the days sessions and importantly through conversation with other attendees I feel my eyes have been opened.

My daily job now has a little more support for an area I openly admit to knowing very little about. I’m not for moment suggesting I’ve see-sawed into an overnight expert now but I have an understanding and a want to learn more. I’ve spoken to people who deal with DOS attacks on a daily basis and how they manage and mitigate them. I understand data centre infrastructure so listening to the challenges big companies are presented with from Cyber pressure is relevant to my daily job.

Q. Would I go again? Yes, definitely.

Q. Would I recommend non-Infosec types to attend? Yes, definitely.

Q. Will I be attending next year? Yes definitely.

 

Leave a Reply