 This is Margaret. She's a technical writer with a strong interest in information security, learning, and education, and interdisciplinary connections. She has spoken at conferences, including Right the Docs Day Australia, the O'Reilly Open Source Convention, OSCON as we call it, and abstractions too. All right, take it away. Thank you. Hello friends in the back, and the front and the middle. Good morning everyone, and thank you for showing up as it is still morning. I appreciate it extra. Today I'm going to talk a little bit about the mosaic theory of information security. I'm going to start and spend a little more than half the talk explaining what mosaic theory is and how it is used in the financial sector, where the idea originates. And then in the second half, we are going to talk a little bit about how this can be useful to you as an information security practitioner. First, we're gonna start with a giant slide full of disclaimers. I'm gonna read them out loud just to be completely explicit. I am not a lawyer. I am not a financial advisor. I am not the SEC. I am not in any way entitled to make expert judgments on what is or is not legal or insider trading. This whole talk is provided without warranty or guarantee. This is not legal advice. This is not financial advice. I am especially not your lawyer or financial advisor. I am going to talk about how legal and financial concepts work in a general sense based on a lay person's understanding so we can all have a shared basis from which to discuss their applicability to information security. Do not make financial or legal decisions based on any information in this talk. Again, not advice. Talk to actual experts if you feel inspired to make financial or legal decisions after watching this talk. Do not rely on my information and do not make them because of anything I say today. I am not an expert on insider trading regulations but I have enough of a general idea to use them as an allegory for a problem that security faces. We're all clear. Not advice, not gonna listen. It's gonna come up a couple more times, but. So, first we're going to talk a little bit about what mosaic theory is. We'll give a few examples of what does or does not fall under the mosaic theory. We'll talk a little bit about how you can use this and then we'll revisit and wrap it up. First, the SEC's definition of insider trading. This is illegal insider trading refers generally to buying or selling a security and breach of a fiduciary duty or other relationship of trust and confidence on the basis of material non-public information about that security. Insider trading violations may also include tipping such information, giving it to somebody else, securities trading by the person who received that tip or securities trading by people who misappropriate such information. I really want to focus in this definition on the concept of material non-public information because whether something is or is not material or non-public is kind of the core focus of how this relates to infosec. First, I'm a technical writer and I'm at a hacker conference. Why am I talking about mosaic theory or finance in general? So I decided at one point that I wanted to learn a little bit more about finance and mostly how that team worked at my company but also just in general. It seems like a useful thing to know. I started with kind of a basic introductory finance newsletter and then I graduated to Money Stuff by Matt Levine. It's a Bloomberg newsletter. I love it. It goes out every day. He gives enough of an explanation that you can use it to learn about concepts but also goes over whatever the current news is. And one day he had a story about an argument about whether something was insider trading or valid under the mosaic theory and it had a cool name. So I Googled it a bunch. A different columnist describes the mosaic theory as being how professional investors and research analysts work the phones to ferret out information about companies that can't be found by simply reading news releases. That is, they get information that the company is willing to disclose but that hasn't been prominently disclosed in a public place and they combine it. This is the core of what counts as skilled financial analysis and not insider trading. For something to be insider trading which you do not want to do, it has to be material information direct from a reputable source. The information often comes packaged together so you're not combining information from different sources but you can act on a single tip or piece of information. And also the information is useful alone. On the good side, skilled financial analysis which you are allowed and encouraged to do involves immaterial information from multiple sources. You combine that information to create useful packages and that combination is what counts as the skilled part here. And the individual pieces of information are not as useful as the whole. That is, if you took any one of the things you're considering, you would not be able to get as good a result as you have gotten by combining that information. I bet this is starting to sound familiar to some of you. Here is an example of a case that the SEC ruled was insider trading. In this particular case, a member of the board of directors of a potato chip manufacturer called Golden Enterprises was informed for legitimate business purposes as a director on the board that there was a pending merger with UTS quality foods which is privately held, so far so good. He got material non-public information but it was for a legitimate business purpose and he didn't trade on it. That's all fine. But instead of using that information exclusively for that legitimate business purpose, he tipped his friend and business partner, Michael Hale Smith, who in turn tipped his dad and his brother and his boss who all traded on it. Importantly, they all knew he was a director and so he was a reputable source. That's also important because if I tell you that a potato chip company will be acquired based on my expertise as a technical writer, I am not a reputable source and if you trade on that, you got lucky. That would not be insider trading. They profited off of information that was sureer than it's supposed to be. You're only supposed to be able to trade on uncertain information so that there is still that element of luck or skill in ascertaining how good the information is involved in it. There's this interesting concept of fairness that underlies insider trading where the riskier it is, the more you're allowed to do it, it's odd. They did profit off of the information to the tune of less than half a million dollars, which feels extremely not worth it and they ended up agreeing to repay it with interest and additionally pay a fine equal to the amount they had initially earned without admitting or denying guilt. By contrast, this was not insider trading. A businessman who owns a restaurant in Massachusetts was found not guilty of insider trading this year after successfully reaping $850,000, a much better profit. From trading in the print company VistaPrint, he traded their futures between 2012 and 2014 in just two years, he got $850,000 and while he was extremely accurate, he was found to have combined bits of public information to make his decisions on. He used their public disclosures, which is totally fine and counts as skilled financial analysis, not insider trading. The case was originally brought because he had friends with ties to VistaPrint and people had said that he was doing so well that they must have been giving him advanced notice of the financial disclosures before they were published, but a jury found that they had not tipped him material non-public information. So in review, insider trading, bad, don't do this. This involves trading on single pieces of significant information that were not intended to be released to the public. Skilled financial analysis involves combining information that was meant to be released to the public and that's totally fine. That's the thing you're allowed to do. Why should you care about this? Well, you also have a lot of information. There is the equivalent of material non-public information, things that everybody knows you shouldn't disclose and it's a huge problem if you are disclosing. You've got people's usernames and passwords, users' personally identifiable information, details of your unreleased features, all that stuff. The stuff that we say, yep, definite breach if it gets leaked. But you also have some immaterial or public information like your press releases and your job ads and group pictures from your onsite that people can combine to constitute information that you may or may not have realized you were making public. Your material information might be something like this. Something fun that I like to do with this talk because all of these information security issues are so pervasive is replace all the examples the night before I give any variation of it every time. So this was a breach this week, two days ago. The California DMV spilled data from thousands of driver's license applications to a number of agencies including whether they had a social security number, which is significant because California allows undocumented people to get a driver's license and you can't get the real ID but now there's this whole database of who was in California and undocumented and legally allowed to drive that was given to among other agencies, DHS. But then there's also this immaterial information that you definitely want to release so you can promote your company, right? You've got your travel opportunities and employee sabbaticals, employee travel, onsite timing, job postings, the information in your applicant tracking system you want to release internally a lot of the time so that you can promote your opening so that you can promote your company so you can show people what a great place this is to work. But how can you use this? Well, some of you may already have encountered a situation where you released all those travel schedules and someone noticed that maybe an executive was out of office and took that as an opportunity for spearfishing or similar situations where there was something that seemed harmless when the person released it that was benign enough that it didn't get covered in security training or if it did, it was maybe an offhand mention and that then caused a serious problem of that material non-public kind of nature later on because the concept of the mosaic theory in the financial world is pretty well established. It began to be used as a defense in insider trading cases in the 80s and has continued to be used since then. This is something that a lot of the MBAs or executives or business stakeholders will readily understand and so if you're trying to establish why a couple of things that we're about to talk about are significant, this can be a great allegory for like, look, you know how you're allowed to trade on stuff when you combine the information and sometimes you can do so well with that that they're not sure if it was insider trading or not? Well, no one's gonna be able to tell how this breach happened if we keep putting out all of this information. You get blamed all the same way. One of the ways in which this turns up is prioritizing dealing with chunks of vulnerability chains. If you have a bunch of insignificant flaws in your software that can be combined to constitute a significant flaw in your software, instead of having legitimate non-insider trading, we now have workable, no major breach required hacking. This can be especially useful when you need to direct resources towards breaking a vulnerability chain when another stakeholder wants to advocate for putting that same time onto something flashier. Maybe let's not work on a new feature until we've taken at least one of these chunks out. It can also help when you need to evaluate the available OSINT on your organization, but before we get too far into that, it's another disclaimer slide. The tools that I'm about to mention are risky because they are useful. If they were not useful, people would not be putting so much information into them. They would just ignore them, and then that's no risk to your business at all. Beining these tools is not a good mitigation strategy for this risk. It's good to build awareness around them. It's good to keep track of what's going on on them. Don't try to convince people that they can't use Twitter or LinkedIn. It's not gonna go well. I really love an analogy from Sarah Harvey, who is a security and privacy engineer at Square, and compares your data to Lego bricks. You can put them together to build cool things with them, and it's great when you're using them correctly, but if you don't clean them up, they hurt a lot to step on. It's easier to avoid stepping on one if you have an idea of where they all are, and especially if they've all ended up where they're supposed to be. And I'm hoping that everyone takes away an idea that there might be places in your organization with piles of stray Legos hidden in the corner. There are a couple of clusters of types of information to watch out for. This first section are things related to the locations of your employees at any given time, and especially recent past employees. As people leave your company, they're often going to update their LinkedIn, and then people know that they just left. Hopefully you are doing some sort of exit interview or just having a nice company culture to begin with so that they're not really angry when everyone in their network gets an update that they just left your company, but that can be an area to watch for. You also want to look at things like conference or meetup attendance and course completion. A lot of the skills that your organization is targeting can come through there, especially if there's something that you are looking to get into that you haven't yet. Your organization might decide that it's totally worth the risk to promote it. For example, there is a Udemy data science initiative, and they have been able to make great strides in hiring competitively by announcing that they are trying to upskill or hire a ton of data scientists and that they are going to throw resources at that. That might be a thing you want to do, but you want to know that you're doing that rather than like, hey, engineers, go to three conferences about this technology, and you can use your company name on your badge, but we don't want anyone to know we're evaluating it. That one's not going to work as well. Additionally, you have your career site, your blog, your employees' blogs. If you don't have a place they can promote them internally, everyone wins there. You get to know who has a blog and what they're saying on it. They get to promote their blog and maybe get some extra likes. Everyone's happy. Also, watch out for what's happening in terms of conversations on public transit or near your office. Every security training ever says that you should be careful what you're talking about in public, but it's often so vague and abstract that by the time something actually comes up an end user has said the critical thing before they realize that they've said it. And so we've had some traction at my organization with providing concrete examples, like, hey, I was on the train this morning and I heard three people wearing their company badges complaining about how dumb this new HR training is that got assigned by the federal government after it turned out that they were having major issues in their stairwells. Three times in one week, different groups of employees. I love Bart. The main thing you want to look for in terms of this information, though, are the trends. You want to look for whether there is chatter about mergers and acquisitions. This can also be a little bit of a red team or marketing competitive intelligence kind of area. You can see where maybe if one of your competitors is suddenly super into attending events about and posting on Twitter about all these cool merger articles, there might be something coming down the line there that they have willingly or unwillingly made public to you. You also want to watch for mentions of tooling. That's going to turn up most frequently in terms of conferences, courses taken, meetups. People often add the skill assessments to their LinkedIn profiles now and that can be an important source of one person learning a new tool, an entire team learning a new tool, probably telling you something. Job posts and resignations, especially if you have someone who is significant enough to your organization that there is a blog post about their resignation and replacement or their resignation and the role being open, as well as general employee sentiment. If your employees are super angry, then you have a riskier environment to operate in than if you are a nice company and your employees love working there. In conclusion, one final time, this is still not financial advice. Nobody's trading on any of this. Ask your lawyer, ask your financial advisor, some professional who is not me, not that kind of professional. I am especially not your that kind of professional, not advice. Insider trading is bad, you shouldn't do it. That's advice that I am willing to provide. No insider trading. Additionally, all of the small things can add up. Because this is kind of an unusual topic, I'm going to do a double tiered Q and A here. There will be a brief Q and A period, about five minutes in here, where people can ask questions that are for the benefit of everyone. And then I will be out in the garden for the normal Q and A where you can ask more specific things or how this applies to a certain domain or stuff like that. We will have a microphone available. Thank you. Does anyone have any questions? I was wondering, how common is it for companies to allow their employees to just blog on their own private blog about going on at the company? It seems like that would be banned automatically. So the question is, how common is it for companies to let employees blog on their personal blog about the company? It depends on how directly about the company it is. But again, you can combine insignificant information from different sources. And so it's extremely common to let employees have a personal blog and to blog in a general sense about what they are doing or learning. And you can then combine that with the same employee's LinkedIn profile, which is often helpfully linked to from the blog page itself to figure out pretty trivially which company they're talking about or what sorts of projects they might be working on. Do you have any sort of term or anything like a red flag that when you see, you know that there is usually an expected outcome straight from whatever was mentioned? In terms of gathering the information together or? In the mic, please. I can't really hear you. Sorry. Whenever I see people disappearing or getting fired or anything like that, I know that, especially in the security sector, if it's a CISO. And I can guarantee there's almost like a breach that has happened that I'm waiting for. Is there anything like that? And pretend it's your talk that you have the same reaction to? So part of the problem here is that this is all about things you can combine. And so there's not any one silver bullet. There are a couple of things. I'll be posting my slides later. And those things that were grouped together on the slide with the sections of bullet points often can be combined with each other. Two together constitute one piece of information that's useful. In terms of a single thing to watch out for, with the exception of stuff that's totally unhideable, like your CISO took a new job somewhere else, people generally do a reasonably good job of either not putting stuff out there that shouldn't be out there or getting it down pretty quickly. Because once it's out there, you've got a lot of eyes on it, and someone's going to report it to a person who will tell you, hey, no, stop. Whereas this, you're probably not monitoring your friends to the same degree that this would require. Is there anyone else with the questions? In line with the previous question, do you think a portion of this could be automated, such as scraping, you know, LinkedIn, Facebook, whatever, looking for new domains, the company's registering, and stuff like that? Do you think that's possible? Chunks of it are absolutely automatable. You can scrape people's social media. Something that I've seen that I kind of hesitate to say on video is in the welcome emails, people list all of their social media links, and so I've seen people just save all of those to a document somewhere, and then you have all of your colleagues' social media links. But you can absolutely automate parts of the process. There is still, at this point, I think some manual work required in terms of combining it, but I would not be surprised if within a couple years the manual work could be drastically reduced if not alleviated altogether. To go off of his question, is there any established framework that you know or can suggest? I don't know an established framework for this because it's a little bit of thing that I made up based on a couple of learning interests I was digging into at the same time. It would be cool if there was an established framework. I guess maybe that means I should make one. All right, one last question. There is a partially established one. I think parts of it have been deprecated, called ReconNG, but it has a similar interface to Metasploit, so it's not the most user-friendly. All right, thank you, everyone. Thank you, Margaret. All right, thank you. And we will be continuing this in the back in case you didn't want to be recorded while you were asking your question.