May 5, 2020
Cameron
Smith @Secnomancer
Layer8conference is virtual
(https://layer8conference.com/layer-8-is-online-this-year/)
https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
CMMC:https://info.summit7systems.com/blog/cmmc
https://www.comptia.org/certifications/project -
Project+
Cameron’s Smith = www.twitter.com/secnomancer
Cybersmith.com - Up by 14 April
Ask@thecybersmith.com
Cameron@thecybersmith.com
https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805
https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation
https://www.masterclass.com/
https://www.autopsy.com/support/training/covid-19-free-autopsy-training/
https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ
Original B-Sides Talk Blurb
SITREP: A Consultant's Perspective from the Trenches of InfoSec
In this session you will hear war stories and lessons learned
consulting for hundreds of clients across dozens of verticals at
every level, from bootstrapped startups with garage beginnings to
Fortune 50 companies and everything in between. We will cover life
on the front lines in InfoSec, ranging from individual
contributions and staying relevant in a rapidly evolving field all
the way to how bad most orgs are at InfoSec and what we can do as
practitioners to help make them better.
Speaking Goal
After my presentation is over, I want my audience
to...
- Feel better about where they are as an infosec
practitioner
- Understand that most of Cybersecurity is largely NOT about the
latest hack or technique
- Failing is OK as long as you learn from it
...so that ...
- When they go back to their office / SOC / client engagements on
Monday they focus on the things that matter to their
organizations
- Hopefully feel a little bit less that the work they are doing
is boring, exhausting, unappreciated, or hopeless
Intro
- Security is a really crazy industry
-
- Like the wild west out here
- Constant threats
- Complacent or ignorant clients/dependents
- Resource and budget constraints
- Security is really complex
-
- There are SO. MANY. MOVING. PIECES.
- There is a never ending stream of new information to learn and
new threats to face
- Security always involves at LEAST 4 parts
-
- The practitioner - Hopefully you have backup!
- What you're protecting - Employer, Client, System, Application,
Data, SOMETHING, etc
- What you're protecting it from - External TAs, Internal TAs,
Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc
- What you have to protect it with - Budgets, Time, Personnel,
Training, Relationships, etc
- Cybersecurity/Information Security is simultaneously an old and
new/emergent discipline
-
- Cyber History
-
- Old
-
- Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack
and Morse code insults - 1903
- Phreaking in the 1960s
- ARPANET Creeper - 1971
- Morris Worm - 1988
- New
-
- Gartner Coined term SOAR in 2017
-
- Yeah... It's barely 3 years old.
- Now you can literally find job openings with SOAR Engineering
titles
- DevSecOps - Amazon presentation in 2015? Not even in grade
school yet.
- Average enterprise is running 75 security tools in their
environment (Cybersecurity almanac 2019)
- Most cybersecurity professionals over 30 do not have degrees in
cybersecurity
-
- Many don't even have Computer Science or IT related
degrees
- This is it's own problem
-
- Training cyber pros, Chris Sanders, cognitive crisis, etc.
-
- BDS ep 2019-021 and 2019-022
- Emergent disciplines are challenging by default
- You chose to play the game on hard mode for your first play
through
Security really isn't as complicated as most people
think
- Occult Phenomenon
-
- Things we don't understand we imagine to be far more
complex
- Things we anticipate we imagine to be far worse than they
are
- Grass isn't greener
-
- Most security departments aren't doing better than you are
- Maturity models aren't magic
Establish Credibility
- I have been in A LOT of client environments in the last 12
years
- Last time I checked, I have more than 350 discrete client
engagements under my belt
-
- I have worked with hundreds of internal, external, and hybrid
IT and Security solutions
- I've met the same tired and beleaguered IT/Security personnel
over and over again
-
- SSDD, very little actually changes from place to place
- In that time, I've learned quite a bit about what makes
security work
- I've learned even more about what NOT to do
- I want to share some of that with you today so you can see how
organizations of all shapes and sizes can fail
Very Large Company Examples
- Big Four Bank Example
-
- Situation
-
- Four Local Branches in Midwest
- Physical Security Assessment
-
- How got onto site as cash machine servicer was incredibly
easy
- Problem
-
- Absolute trust of vendors/vendor compromise
- How do we as security practitioners fix it?
-
- Good internal relationships with functional area leaders
- Work closely with functional areas to left and to the
right
-
- Who? Operations? HR? Purchasing?
- Every functional area and specifically the leadership
- Improved communications and availability
- 8 and Up
-
- 'Gotta git gud' at the soft stuff
- Top 50 Chain Restaurant Example
-
- Situation
-
- Doing Chip Reader refreshes across all ~600 locations for PCI
Compliance during 2017 window
- Problem
-
- Poor project management on behalf of security team led to
project failure
- A security problem became an IT problem
- Contractor to subcontractor to subcontractor added time and
complexity
- How do we as security practitioners fix it?
-
- Security managers needs to be aware of how their projects
impact others
- Managing up
- Security needs to be interdisciplinary
Government Examples
- Police Department Example
-
- Situation
-
- City Administrator got Spear Phished
- Problem
-
- Spear phishing
- Poor logging
- How do we as security practitioners fix it?
-
- Look for the most basic problems and try to fix them
- Find or create solutions that provide basic capabilities
- Cannot prevent the lowest hanging fruit directly, so impact
what you can change
-
- What you can actually do about phishing
- Getting people to do something that you want them to do
- Defense SubContractor Example
-
- Situation
-
- Working with MSP on security issues
- “Do we have a SIEM” email?
- Problem
-
- Company executives have never done due diligence
- Assumed that MSP had it under control
- MSP just did what they normally do and within letter of their
contract
- How do we as security practitioners fix it?
-
- Security needs to be proactive
Small Company Examples
- Light Manufacturer Example
-
- Situation
-
- Server not working, Ransomware
- Attackers pivoted through third party accountant access
- Problem
-
- Single Point of Failure (SPOF)
- Vendor Compromise
- How do we as security practitioners solve it?
-
- IT problems become security problems on long enough
timeline
- Need to provide actual solutions to business problems
- Security CANNOT be decoupled from business needs
- Telecommunications Provider
-
- Situation
-
- Employee reports CEO was hacked
- Problem
-
- Employee panicked, emailed everyone
- Escalated way beyond what was necessary
- How do we as security practitioners solve it?
-
- Employee education - Boring answer
- What's actually under our control here?
-
- Clear processes for security incidents
- Clear communications channels for employees with IT and
security groups
- Knowledge management
- Local NGO Example
-
- Situation
-
- Meeting with Executive Director regarding server failure
- Problem
-
- Mentions that she was sent security guidelines from global
parent org
- Got so overwhelmed reading it she just closed it and kept
working on something else
- How do we as security practitioners solve it?
-
- We have to make this information digestible and accessible
- We do NOT need to make already dense subject matter even more
inaccessible
- When cannot mandate compliance, how do you achieve
compliance
-
- More flies with honey than vinegar
- Build relationships - Layer 8 strikes again