 Thank you very much for the introduction. Sorry, this is a very different kind of headset, so I'm not used to this one. Thank you all for having me back here, and thank you for taking the time to come listen to me. Last time I was here was about three years ago, and it was the first time that I gave another iteration of my talk series called Barbarians at the Gateway. And you guys were my very first audience for that, and I really appreciate you guys being here for that back then. Those of you who might have been there in the room at the same time, but this time I'm back to talk about data breaches. It's much not a vendor type of presentation, although somebody did accuse me of being marketing earlier today. I'm not overly offended, but you know, it's one of those things. So yes, I have been working in this space for now 25 years, and along the lines I've got my collection of CVEs and all the rest of it. And it's just amazing to see how things have shifted in that 25-year space. And now we're at the part where we're talking about data breaches which just doesn't seem to stop. It doesn't seem to go away. So number one, I'm glad you were able to find the room, so it was a really interesting blow-up, but that's being what it is. I had the wonderful intro where they talked about who I am. Other things about me is that I have been doing this for so long that along the lines, one of the things that I was taught early on was to walk around with a notebook and keep notes of everything you do. And this is one of the most fantastic things that I've had from a personal advice kind of perspective. So when you keep notebooks and you do this sort of thing for 25 years, the stack of notebooks is almost as tall as I am at this point. And it's really cool because I'm able to go through and pull all different types of stories from it and be able to give talks, be able to write stories for publications such as Forbes and CSO Online. Huffington Post very uncoolly got rid of me and 100,000 other writers, but I'm not bitter. So a little about myself. No, I am not an American. I am Canadian. I'm actually born and raised here. I actually grew up in San Juan and DDO. And it's really fun for me to have every chance I get to come back here. I'm like, wait, I get to go to Montreal? Yes. Okay. I'm in. So now after all the different types of jobs I've had, I've been everything I've worked in a record company. I played in a band for a living. Don't recommend it. And all of these things that's going on. Living in a band with a bunch of other people who may have questionable hygiene. Not the greatest career choice. But now working for Akamai, it is fantastic because of all the data that I have access to and all of the things that we're able to glean from that data. This talk is more about stuff not specifically related to Akamai, but if you want a really cool talk, last talk of the day tomorrow with Alan and Danny, they're going to be talking about just some incredible stuff. So I highly recommend you check that out. So the one thing that I did is I went through and I pulled all of the publicly available data breach notifications for 2016, and I went through and read them all. If you've ever had trouble sleeping, don't worry about Somin-X, do this. So now I've been going through the 2017 ones and it's just more of the same thing over and over again. What I had intended to do was to go through and build out some metrics, you know, pump through R and see what kind of really cool graphics I could get. But the one thing I realized really, really quickly is, excuse me, there's no common lingua franca. There is no commonality between all of these different types of data breaches. I've even seen things that made me absolutely insane. Like, well, the laptop was stolen from the back of the car, but it's okay because that Windows 98 laptop had a password on it in 2016. And these are the things that really concern me. And as we're going through here, we're not seeing that common understanding. We're not seeing the shared information. There's no sort of level set among things. And when you go through all of these closures, you realize there's not enough coffee in the world. And I've tried, but as you're going through this, this helps you to better understand what we're missing. So we look at striving for understanding. We're always trying to build new frameworks. If you're working in JavaScript, there's like a new framework every other day. But when it comes to talking about what went wrong, we tend to not do an overly good job of it. And this is one of those things where these are the lessons that we need to be learning. Every time there's another data breach, we all tend to our hands with Glee. Meanwhile, we're just sort of leaning back and going, glad it wasn't our company. But this is one of those things where we have to make sure that we understand what we're looking at. We might have to make sure that we're trying to raise awareness by reaching some sort of common understanding. So before I ever got into this space, and before I even got into the music industry, I was working on my bachelor's degree in classical studies and archeology. So my original dream job was to be working on a palace complex in Crete dusting off little shards of pottery. That didn't work out so well. But one of the really cool things is it really taught me how to do a lot of heavy research. And this was really cool because it's played very much into my current career. And one example was the sack of Rome in the year 410 AD. And you're like, why are you talking about this at a hacker conference? Give me a moment. So this is a case where the Visigoths took over Rome. And the way they did it is they surrounded the city and they waited until they had exhausted all the resources inside the city. Finally, the Romans said enough, they flew up in the doors and they let everybody out of the city with sacked. It was very much a low-contact type of thing. And when I gave the same talk in Rome a couple of weeks ago, they all sort of looked at me and went, yeah, we know. But this is one of those ideas. It's like data breaches, this is nothing new. It's just we've changed the medium as opposed to the actual what's going on. And this is a lesson that we could have learned from back in the mists of time. But as we go forward, we look at things like this. Quite a few years ago, the 40 million credit card numbers that were hacked jumped forward to Heartland Systems, millions more cards. We had the warning signs early on. But we didn't take the time to learn. And one of the things that really got me was this. This was the driving force between so many data breaches, roughly about, I think we're going back now about five, six years ago. And the whole idea of XP Command Shell was to provide database administrators a way to remotely manage their databases. Conceptually good idea. The problem here is the road to hell is paved with good intentions. And we're talking gold bricks at this point. So this is one of those things where it's like this was well-intentioned, but it went very, very badly and led to lots of database breaches. This problem by and large has been fixed, but there's all sorts of other problems that keep cropping up that allow people to breach their systems. Or we're doing the work for the attackers. I use that term very specifically because hackers, this is us, attackers are the ones with the criminal intent. So when I say doing it for them, how many people here are familiar with AWS's S3 buckets? Can I get a show of hands? Okay, now, I wrote an article for forums where I did even screenshots from the interface. In order to make these S3 buckets publicly available, you have to deselect it to allow that to happen. You have to manually intervene in order to make this a thing. So when somebody says that their S3 bucket was hacked, this is the part where my vein and my forehead is about to explode. This isn't a thing. This is somebody enabled it. This is one of those things. And then people say, oh, we got to blame Amazon. No, we have to blame whoever did the work. But more importantly, we have to blame ourselves as security practitioners because we didn't teach them why that was a bad thing. This is one of those things where we as security folks need to take the tip of the sword, put it next to our chest and lean forward. We have to do a better job of teaching folks these lessons so that stuff like this doesn't happen again and again. And we have to make this in a way that's something that is personal to them. So for example, if we talk about ancient Rome where the city walls were breached simply by waiting it out, if we talk about something more personal like your house has been burgled and all of your DVDs or whatever the heck you want have been stolen, this becomes something very much personal to you and this is something you can relate to. So there has to be some sort of lingua franca that we arrive at that's going to resonate with people so they better understand. S3 buckets are a great example of things that don't have to happen and this is going to keep going over and over. And the thing is we get it in here, but it's incumbent upon us to communicate that forward because information is currency these days. And if we're not doing a good job to protect it, this will happen over and over again. Excuse me. A little bit dry. No security presentation will be complete without talking about AI. And this is one of those things where it's like everybody wants to jump on this and it is not what it appears to be. This is yet another tool that we can use. This is not a be all end all. This is not a silver bullet. These things don't exist. However, this is an actual good tool that we can use for positive ends. Unfortunately, marketing types like to get wrapped around the axle about what it actually is without actually understanding it. So a couple of years ago, one of the things I have the pleasure of doing is I work on the speaker operations team for DEF CON. So when we were getting ready for the conference, we had this actually happening at the same time. So it made things a little bit interesting. This was the DARPA cyber grant challenge. And each one of those systems across the stage was being used to break into another system. So each one of the colors you see on the screen there, that's just another supercomputer. And they had huge cables going behind that were water cooling these things. These things were amazing. Now this is a case where they would try to attack each other. And in one particular case, the system actually created its own exploit. And everybody went, well, hold on a second. That was a little bit alarming. That possibility, of course, you get into the wonderful default of, oh, Terminator. But it's not quite like that. But think about it, if this is what we're using now and the attackers get their hands on this as well, the barrier to entry is very low. You have AWS, you have Google Cloud, you have Azure, you have all these different platforms where people are able to actually have a very low barrier to entry in order to get into things. And when you're looking at all these things, you want to make sure that you're doing the fundamentals right because Brian Krebs is not your IDS system. If he is, wow, things have gone terribly wrong. Hi, Brian. So this is a great example. This is something that Brian wrote about after the Equifax data breach. People were like, oh, it was a vulnerability. It was this. It was that there were multiple web portals that had a default username and password that allowed access to the exact same data that was perloined ostensibly through the vulnerability. This is one of those things. We get wrapped around the axle so many times about, oh, zero day this and zero day that. Meanwhile, we haven't applied the Oracle patch bundle from three years ago. This is something we need to do a better job of because security debt is accumulating and it's going to get worse, which for this crowd is a good thing because it means we're all going to have jobs for quite a long time. Now, when we're talking to the media or talking about the media of which I count myself a part of that, we talk about unauthorized access, insider threats, web breaches. But the one thing that we tend not to discuss is the missing patches. This is what I was talking about with security debt. We're talking about the risks that have been accepted, that have been signed off on, but never revisited. The patches that weren't installed for who knows whatever reason and configuration issues that were done in order to finish a product in an expeditious fashion in a way to make sure that they met their time-to-market issues and time-to-market is one of the worst vulnerabilities that we have to contend with because somebody's budget, somebody's bonus is riding on that project going live. And come hell or high water, they're going to get that. So this is one of those things where we have to try and figure out how do we better communicate this upwards to make sure that we're articulating the risks in a way they understand. So, take a breath, do my caffeinated squirrel thing. One of the things that I absolutely love, ever since I saw it in theaters in 1977, yes, I'm old, was when I first saw the first Star Wars film, I was hooked. I was absolutely hooked. Little did I expect that years later, I'd be watching one of the best data breach movies ever in Rogue One. So if you haven't seen Rogue One, I'm sorry, you've had time. So this is one of those really interesting things where we had the firewall of the men, he's saying, okay, he's guarding access to the planet so they can't get access to the data archives. And he's saying, wait a second, I don't really understand why you're here. You're not on the arrivals list. This doesn't seem entirely correct. And the guy goes, well, you know, actually we're supposed to be here. We got rerouted because things went a little bit screwy when the rebels attacked the base. And they said, okay, well, then let's send your code. So there's, essentially, the sequel injection and then they're into the environment. And this is very much in the same way that the attackers, once they get access to your environment, depending on what study you're looking at, if it's Pokemon or whatever it happens to be, all of these different breach studies look at and say, it's 100 to 200 plus days before anybody notices an attacker's in your environment. If they have three days, it's already too long. And by the time they're in there, things have gone horribly wrong. And this could happen to anybody. And this is not the throw shade of this particular organization. This is just one example. And once the attackers are in your environment, they're going to escalate their privilege. Because once they get in, they're like, okay, what can we get next? Because the thing that I always get a kick out of is people are like, oh, they were attacked because of this. They were attacked because of that. The reality is, these attackers are coming after you because you have an IP address. When you have tools out there like Rob Graham's Mass Scan where you can scan the entire internet in four hours, the barrier to entry is so low that it's simple for an attacker to do these things. And if they can get into your system, they can or use it to whatever means they can. So once they're in, there's indicators of compromise for most of these organizations. It takes a long time to find it. But once you do see these, too often it's too late. And by that point, the data has already left the building. There it goes. But the best thing about this movie that really got to me, and I enjoyed this to no end, was what was the lesson that was ultimately learned here? Anybody give any ideas? There was no encryption. So I was like, oh, okay, wait, they're just broadcasting this stuff live so anybody can get their hands on it. All right, so in the future, assuming this is in the future, things are still bad. So I'm hopeful that that's not actually the case. But when I went to look back to 2012, on my side of the matrix, I started tracking data breaches because I kept reading about them. And the pace seemed to be picking up. I had no idea where it was going to end up, but this is the kind of thing we were seeing with Yahoo with allegedly 453,000 records we know in hindsight that, wow. But as we go through these, and it's not to beat up on these organizations, but it was just like there were warning signs that we should have been learning from. These were the lessons we should have been learning. And I'm not Lily White in this. I had my own problems. When I was working for this particular organization that I won't say out loud, but if you can read the URL, you can figure out where it was, we had a system that was compromised. Now, this system was a marketing system that was a WordPress installation that was set up outside the firewall and it was supposed to be for a single campaign. The WordPress version that we were running was deprecated. The thing was so lousy, it was absolutely horrible. And we said, please, can you take this offline? Like, sure, no problem, we'll take it offline. A couple of weeks later, we get a phone call. It was a global mail. And then we got a call from Global TV, and then we got a call from, and it went on and on, and it was like, what's going on? This system had been compromised by RootbeerSec. They had popped it and put up little greets to our friends and all that sort of thing. And the funny thing was is we didn't manage the narrative well. We said it's just a marketing system, it has no access to anything, big mistake. Because by not managing the narrative, the narrative started its life of its own. The media took it and ran with it, and this was a lesson that was a hard one to learn. It had 192 accounts on this system, none of which were the same as any of the accounts on our internal system, but that wasn't the point. The point was that we had suffered a data breach. Nobody cared that it was a marketing system that was managed by a third party. All they saw was our name on the headlines, and that's what they ran with. Hard lesson to learn, but it was a valuable one. Now, when we look at the type of attacks that we see going across our platform at Akamai, there is no shortage of attacks, and every quarter we put out a report called The State of the Internet Report. Now, excuse me, you probably can't see this very well, so I'll just read it out. Left to right, we have SQL injection, local file inclusion, and cross-site scripting. Each quarter we do this report, and every quarter these numbers are roughly exactly this. SQL injection is the number one thing that we're seeing from a web attack type of perspective, because it works. If you are not on our platform or a competitor's platform with your systems protected, if you're hanging in the breeze and you're not sanitizing your inputs and sanitizing your outputs, you're really putting yourself into a world of hurt, one of those things where it's a trivial exercise to pop these systems. And just because you could do something doesn't mean it's a good idea. So a few years ago I wrote about this one. This was a social media platform, I don't even know if they're still around, to be honest, called Yo. So the challenge here was a couple of guys got together and they wrote this platform in eight hours. What was the one thing that they didn't factor in to Yo in that eight hours of coding? Anything resembling security. So the whole point of this was they were able to text back and forth to all your friends and it would just be one word Yo. I have no idea how they were going to monetize that. So they got breached and this was one of those examples of just because you can do something doesn't mean you should. You really have to factor into security into the mix. Because SQL injection, you've got to sanitize your inputs, sanitize your outputs, and it's going to keep getting worse. And here's some examples. These are major SQL injection data breaches, like just historicals. And people say, oh, okay, well, you know, it's not nearly as bad as all that. Well, okay, let's look at from a year ago. This is from a site called informationisbeautiful.net. They do this wonderful job of data visualization, so if you're a data vizner, there's a great one to check out. Excuse me. One of the data visualizations they do is for data breaches. And then this is one, well, from today. A year ago, today. And then there's really big highlight ones that really jump to the front page. But this is one of those really amazing things, is that we're not learning these lessons or we as security people need to start making a whole lot more noise in a clear and articulate fashion. We're getting into the room with your hair on fire saying, we got pwned is not going to work with the CFO. We want to be able to actually speak their lingua franca because otherwise it feels like this. It feels like everybody is out to get their own data breach because it's the thing to do these days. And you want to make sure the controls you have in place are sane ones. Because if you're not using the right kind of security controls, your mileage may vary. Then we look at stuff like this. Want to cry. Want to cry should never have happened. This was using a vulnerability that we've known about for a decade. This is something that didn't need to happen. And yet here we are talking about it and here we are with all these graphics of all these different systems that got popped. This was a remarkable exercise in hindsight as 2020. We really should have learned from these lessons. So when you're looking at data breaches and having suffered through this firsthand, you've got to look at the costs that you have to deal with. How much is it going to cost you to do the investigation for the incident? And don't even take into account bringing in a third party just internally to your own organization. How many people are going to be working on that data breach? For how many hours? How much report writing? How much analysis? How much forensics? Because each one of you that's working on that, there's a cost to the organization that you're working in. So if you build that out, you can say, what's the cost of this amount of money? And then once you do the math, it's like, whoa. If you take into account rather bringing in a third party, the cost skyrocket. What's the cost to recover? If we take into account the story of Sony Pictures when they got breached, they were working off of whiteboards because everything was smoked. They had nothing left. And this is a really, that should be a real strong lesson for anybody in this business. You want to look at how you're going to do your communications if you don't manage the narrative, like I said, it's going to manage you. And I learned that very much firsthand. That was the biggest takeaway from our breach, was that we didn't get in front of the story. What are your legal fees? And what are the compliance penalties you have to look at? Something you really got to take into account. Further that, loss of revenue, customer attrition. These days, if you're running a site where you're making a widget, and your widget A, and the other company is making widget B, and your site gets breached, or for whatever reason, customers lose confidence, these days they're going to shift over to the other company like that. There's really no hesitation. And you have to look at what are the other costs and data breaches. For example, this is a great example. For example, this is a great example. That made a whole lot of sense. So when Yahoo was looking to, or sorry, my brain just locked up. It made me completely, that's always fun. So when the sale of Yahoo was going forward, Verizon took $350 million off the price tag, because Yahoo had not been forthright and disclosed the breaches. It's not the crime that gets you, it's the cover-up. And this is one of those unfortunate things where, if they had actually been forthright in this particular example, this could have been far less painful. And it's not just them. This is not just a one-off story. There's other things like Talk Talk. In the U.K., where one of their senior members, I can't really remember if it was CIO or a CISO or who it was exactly, but they came out and they said, why do we have to do encryption? We're not legally required to do so. It was roughly the wrap-up on how they had said it. And unfortunately, that logic was as flawed as you can imagine, cost them 400,000 pounds. That was a lot of things. And why did they not encrypt the data? What is SIPLaf to do? That's one of those things. When you're talking security with any sort of project, it's a dollar up front or $10,000 on the back end. Which cost do you want to bear? Now, this is from a conference that I spoke at not too long ago, actually, within the last two months, and I downloaded their app and I decompiled it and went through it. And they were looking for read-write to external storage. This is just one example of many that were in this dump of the file in the manifest. If you're writing an application and you're accessing information that you don't need, why? Because it's a trivial exercise to decompile these things. And when you look at the types of fines that are coming up, it could be really painful if you're not taking good care of your data. GPR is just the beginning. Honestly, I would not be surprised to see a similar type of legislation in Canada the next five years. I would be really surprised if we didn't see that. And a lot of this is because we need greater accountability for the data that we're stewards for. In case in point, when we look at the Equifax breach, this was a graph that I didn't do, but somebody actually tracked the timelines between when the hack was discovered, when it was announced, and when insiders were dumping their stock. Interesting timing. So, who got the pink slip in the Equifax breach? Imagine your organization, you suddenly lose your senior management. Well, the CISO retired. The CISO apparently made $11 million in four years. I really need to talk to my boss because apparently I could be making a whole lot more. The CIO retired. The CEO retired with a $90 million U.S. parachute. So, for them, there really wasn't any ramification other than they lost their job. They walked out of the dirt with a lot of cash. And this isn't to beat up on Equifax so much as what would happen in your organization if all of your senior management was gone? What are those things that really complicate? These are the costs that we have to look at for any sort of data breach. And to be fair, they weren't the only ones that got breached, so hopefully this works. Is it running? No, of course not. Nope, not running. Anyway, so one of their Equifax is direct competitors was compromised and they were installing Flash onto your drive for you, but that's another thing entirely. So, one of the really cool things is when you're looking at all these data breaches, you have to look for allies within your own organization. Compliance is a great example. Compliance were that group that years ago they went, oh, God, not them. It was sort of like I was an inspector with a police station and internal affairs shows up and it's like, oh, not them. It's them again. But compliance over time I've learned is the friend you need to have in your organization because they can help you get it done. When you're looking at talking about customer attrition you want to talk about going through it and making sure that you're sounding out what you're going through as part of your research, as part of what you're finding in a data breach or finding before a data breach. You want to look at the information and then have it as a sound off with our own internal compliance team, these folks are amazing because they're on top of all the different regulations, all the different types of legislations that are out there so that when you're building out a project and we go, okay, we're going to go over and talk to the compliance team and then these are the things you have to be concerned about. Here are the penalties that are associated with so here's a better way to do X. In your own organization this is the way things should work. This is a good way to be. So back in the 90's when I was working for a defense contractor my client at the time who shall remain nameless but defense in the United States, they were under attack by a third party and I ignored it for a few days it was having little to no effect and then one day I came in, I'd been up all night I was really groggy, I saw it again and I attacked. I hacked back. This is something that I'm seeing popping up in a lot of proposed legislation in various countries now. This is not a good idea and I'm a living testament to that. I hacked back, I hit the target, I didn't destroy anything but I left a note on their system saying please don't do that, here are the things you need to fix and I gave them a burner email address so they could contact me back if they had any questions. I was all nice and feeling good about myself I sat down, had my coffee next day there was a little oop-ping inbox okay, opened the email hey, thanks for highlighting all the issues that you found and really sorry about the attack and all the rest of it but you hit the wrong company I had gotten one of the octets wrong this is why hacked back is so incredibly stupid because something as simple as that could have gone horribly wrong and I'll talk about that a little bit more too but with this particular case they were really good about it and this was before a lot of the legislation that we have today so thank goodness but this is one of those things it's like hacking back is not a good idea and this really goes back to talking about data breaches it's like somebody attacks you hitting them back is not always going to work in your favor probably won't and these sort of things happen over and over again so not too long ago before I joined Acomite I was working with a company where a vulnerability scanning vendor came to me and said look we will scan a block of your IP address base for free so you can see how our product works and I said, you know what, that's a great idea free is good so they scanned my network and I gave them a class B and they said what, we were hoping for a class C and I'm like, that's all we got so they did it and they gave me the report and I started flipping through the report I was like, huh, that's interesting Shenzhen, Beijing these were all printers but they were all in Chinese address space they had got one of the blocks in the octet wrong they had scanned the class B of China and given me a full report I love that one so because they were so embarrassed and they fell on their sword instantly I will not name who that was but it was one of those things just like accidents happen and we have to be very, very cognizant of these things when we're dealing with security related issues and when you're dealing with internal groups you have to make sure that you keep your head on straight because when somebody does something wrong from a security perspective one of the first things we do is like we'll grab the torches it was like, burn him, he's a witch not the best policy, not the best way to approach things and case in point is this now this is not the actual application but this is an example so when you have a browser and you open up and you go to view source on a web page what do you see? HTML great so view source right there this right here just being very clear this is one of those things where I get very frustrated because I was given an app to look at which unfortunately had gone live before having any sort of security review luckily they hadn't sent out the link to the customers yet saying that it was live this was many many moons ago and I looked at the app and the first thing I did was okay view source what was commented out in the HTML can anybody guess? username, password administrative access to the application fantastic and there I took this and I sat down with the CISO myself and the manager for the application development team we said look this is what we found this is why it's a problem his first reaction was that I hacked his application I can't even make this stuff up he honestly thought view source was hacking into his application he didn't even know that this was a thing and to be fair I had never taught him that he was a manager not an application developer he was managing a team of app site folks so this was one of those things where I went okay this is a learning experience for me as well as him because we have to do that better job of communicating what security is to the wider audience and while in here this was my reaction the benefit of me taking that pause was I didn't do this which could have quite easily happened in my younger days and just because you fix something doesn't mean it's not going to get unfixed so one company that I worked at many moons ago when I left that organization one of the applications there that I had asked them to do X to fix they had finally done it after many fights and as soon as I left they reset everything that they had fixed I got an email about a week to two weeks after I left the organization from my buddy who was still there and he said you're not going to believe this this was a publicly facing URL that if the end of it if you put in the argument of Etsy password it dumped the entire password file for that server this is one of those lessons where you have to understand that just because you give somebody a tool doesn't mean they're going to use it the way you expect them to people will always find a really interesting way to use tools or they'll ask for tools that do nothing at all too soon and then there's other times where you have a company that is specializing in security that has their own type of issues so now this is not beating up on this company yourdataissecure.com this was literally happened 20 minutes before the first time I ever gave this talk this happened to this particular organization I was just like wow this could happen to anybody so never take for granted that your security is 100% because 100% doesn't happen you can get 99 but you're never getting 100 and a data breach will leave you feeling completely gutted and Bob Lord who I've known for quite a long time when he went through this he said it was literally like vertigo he felt like he was spinning that's exactly how I felt with our breach at the other company and it's a very unpleasant feeling and if you can figure out a way to be prepared for it in the event that it happens that's going to make it a lot easier to deal with and don't for a second take for granted saying oh it's just this low ranking system it's not a problem the media will happily take it and run with it and mistakes are going to happen the Morris worm is a great example this was something that got out not what was intended but things can happen in a bad way and we have to make sure that we don't see the world as if we're playing Doom it's not an adversarial relationship we are there to help facilitate the business help do things in a secure fashion and to build on this don't align against yourself we have a really bad habit of eating our own within the security community that I've seen really develop in certain circles and this has got to go away there's not that many of us and we need to figure out a way to make this work so in the idea of making things work I talked about working with your compliance folks earlier what about your audit team I can just feel the air suck out of the room with that one working with your audit team this is great because you can actually go through them and bounce off what your incident response plan is you can have them go through it and look for holes so that the attackers don't find it for you and when you're dealing with audit it's great in addition to doing that they can help deal with the benefits of the risks of sharing types of information you can actually help work with them and the compliance team to get to a better place because when you're talking with them then you get a better idea as to what you want to communicate outwards because bad news, sorry bad news will ultimately happen I hope that doesn't happen to your organization but having lived through it, I know that it can you want to make sure you have a clear narrative ready to go so it doesn't develop its own life and don't get focused on the zero day so the media loves to focus on the zero day to be entirely honest I'm more worried about the 100 day vulnerability the Oracle patch that I mentioned earlier if you hadn't applied it from a couple years back what are you waiting for so when you're looking at all of these different pieces of what I want to cry and all the rest of it all these things that didn't have to happen you say okay what am I going to do well start where you are look at having a risk register to go through your environment and look at what are the risks to your systems what are the risks to your environment what are the problems that you're worried about you want to have a good long look at patching nobody ever wants to talk about patching because it's not fun I've done it I've run patching systems it's just not enjoyable but it's necessary you brush your teeth every morning why because you don't want cavities why don't you patch you don't want those same cavities in your systems you want to actually work to stop threats earlier within your systems you want to make sure that you're not having DNS leaking out of your system GRE tunnels leaving your system that you don't have any control over or know about I used to work for a power company in Ontario and one of my guys he built a GRE tunnel from his system to his home system and he did it because he wanted to see if anybody would notice and I was having a good giggle because I was literally the only person in the organization that knew it was happening and I wrote it down and put it in an envelope and sealed it on that day as to what was going on and finally after about two weeks he came to me it's like I got to come clean I have this GRE tunnel going back to my home system I was just testing to see if anybody noticed and I handed him the envelope and he opened it up and he's like I hate you because he thought nobody had seen it at all but that was just it I was the only one and that's not the way it was supposed to be in that particular organization our front line folks should have seen this this should have been picked up on and when you're looking at these environments environmental issues you want to make sure that this is not exiting your environment in addition to doing code reviews having web application firewalls anti-denial service controls in place because the attackers are going to come at you every which way one thing I always get a kick out of people say oh we have to innovate we have to get ahead of things we have to be on top of whatever the last talk blockchain that's another one in this talk that was really good I've been to other conferences where blockchain was nothing but a buzzword so the last talk fantastic but that's one of those things is we're they're constantly expecting us to innovate while systems are in flight and that's just it as security practitioners we need to give them that framework so that they can actually innovate the way they need to safely and this is something that we can do so the other thing too is learning to let go with the systems that you're controlling data breaches yes huge problem but one of the things you have to learn to do is also to let go of the systems that you're controlling in certain instances so I used to run the IDS system for a power company many many moons ago and I controlled everything from patching to log management to everything I wouldn't let anybody touch it because I had trust issues I didn't want anybody to mess up my systems it was working and working really really well it would actually send me text messages in the middle of the night if something really critical happened it was like oh this is fantastic and I could able to remedy it but one of the best pieces of advice was my mentor said you have to learn to let go of that system you will not be able to grow as a security practitioner until you can do that I did let go of that system they had to hire two more people to run it explained why I didn't sleep much but that was one of those things where by letting go of that system I was able to focus on other more important things like getting folks within our organization or doing really cool in depth research which unfortunately I haven't gotten to do in 10 years so that's another thing in Starly so one of the second and last stories that I have to share with you was one organization we were working in this was crazy it was a global footprint and we have MPLS circuits going around the world and we got letters from MPAA and Ria saying stop downloading movies stop downloading music what are you talking about so within your own organization do you think you know how you have everything wired well guess what you might be in for a surprise so we actually had folks on the ground in south east Asian country where we had an operation and we had them do a physical look at the network the local folks in that particular office had created a branch off the router so we were looking at the logs we didn't see any of this we were looking at the firewall so that they could download all their movies download all their music and here we are getting this nasty letter and we're like writing back on a look we have no idea what you're talking about we looked at the logs thankfully they went away and we found this and then they went away but that's one of those things you really got to understand your environment because when you don't understand your environment things that are very strange can happen one company I was working at something under the floor in the control center we went through and there's like there's some weird routing loop so we lifted up floor tile number one nothing floor tile number two nothing floor tile number three there was a Cisco 1750 blinking back at us from under the floor that nobody had ever seen before this router predated my coming on board with this company and it went back to the time when it was one big large company this turned out to be a direct connection back to one of the other companies who had since become basically a competitor of ours thankfully they didn't know it was there on their end either and we had friends at that side and they went oh damn so they pulled that out but that's one of those things data breaches unfortunately are far too prevalent they're happening far too often we have to do a better job of communicating we have to do a better job of understanding what's our environment and making sure that the hygiene systems is in good shape we want to make sure that we're looking at things from a zero trust perspective in making sure that people only have access to what they really need to do their job these are the things we have to consider and that being said I'm up against beer so I will just say thank you very much for having me if you want to send me an email