Presenter:
Transcript:
Dave is the global advisory CISO for 1password. He's talking to us today about falling on swords. I'm curious. I assume there's no Watts or no live reenactment.
We're not. No. Okay, with over 30 years of experience, Dave is the global advisory CSO for One Password and founder of Liquid Matrix Security Digest. We think big thoughts and we're going to share him today. He's worked with many different enterprises and companies, and he is happy to speak with us today. Thank you. Dave, can we have a round of applause, please?
Thank you very much. So can everybody hear me? Okay, good. I got my credit from Verizon. Okay. I would like to thank everyone for being here. And for those of you are napping, I take no offense, I get it. This is, one of those things. It's a big, beautiful room, and it just feels like there's nobody here.
The really funny thing is, when he was talking, I was standing over there. I couldn't hear anything because the confident or them, the monitors right here. So it was a really weird effect. I couldn't quite hear what was going on. But anyway, this talk is called Chasing Entropy. And this is really about chasing after, you know, getting to that place of improving security overall.
But one of the things that happens over and over again is we keep doing the same thing wrong time and time again. But first, for those of you who did not show up for actually, you know, let's try this show of hands. How many people were here for my closing keynote last year? Dude, so so three of you.
So your other six friends didn't make it this time? Okay, good. No, no. But I do appreciate that. So last year, it was really cool to be able to give that closing keynote, but I understand with traffic in Houston, it was a little bit of a thing. So for those of you who don't know me, I've been in security now for over 30 years, which is somewhat painful for me to say out loud, but I've learned a lot of lessons and the really interesting thing is, when you've been doing this something like this for as long as I have, you see repeated behaviors, repeated patterns, things that you have thought were solved 30 years
ago are suddenly new again. And along that way, I've figured out ways to distract myself, like becoming part owner of a whiskey distillery and part owner of a soccer club and a few other places like that. And it's just been really interesting. It really has nothing to do with anything other than I really love that. I can say I'm part owner of a whiskey distillery.
Suffice to say, I own a doorknob and half a window. But you know, it's so fun to say I am Canadian. Hey! And this is how I feel after 30 years of doing this, I tend to feel like this because, again, we keep repeating a lot of these behaviors. And as I was saying, I have done this before a little bit of deja vu.
But the thing that gets me is passwords. And this not because I work at one password, it's because I've had to contend with them for 30 plus years. Does anybody know the origin of passwords in the cyber security context? Any hands? 1962 at MIT, there were students that were stealing high end compute time from their fellow classmates. So the professor said, okay, I got to figure out a way to fix this.
And he instituted passwords to protect the accounts so that the users could not go through and steal compute time from their fellow students. That same year, IBM came out with a system that had introduced passwords, and even they say that MIT beat them to the punch. So we've been dealing with a knee jerk reaction or response and calling it a security control since 1962.
Passwords are control, but they're about as effective as a house key. When you lock your house and you go to work in the morning or whatever it happens to be, if you lose that key along the way and you have a picture of your family on the chain, or you have something that identifies you, somebody of negative intent could pick that up and go back and get into your house.
The house doesn't know any better, so there's no security aspect of it. It's just, you know, some way to protect your stuff. And when we're dealing with passwords, a lot of bad things can happen. A company that I worked at three lifetimes ago, one of the things we found were there were gangs in Vietnam that would break into websites and steal usernames and passwords, then played them back against other sites to try and expand their access, you know, the land and expand.
Just a couple months ago, one of those teams was actually captured, and that was after they had done $71 million in damage. This was a small team, I think, of about four small team of four people. This is just one of the teams that we tracked way back when that was over a decade ago.
But in security, we also follow our own rules. We tend to do things differently because we look at the world a lot differently. And when you're looking at the modern threat landscape, we have to understand that while everything has changed, all the names have changed. The players are different. It's still fundamentally the same problems that we're contending with.
We also have to look at the importance of safeguarding the data. We're still having this conversation over and over again, and when we're looking at that, we have to look at things in addition to passwords, data breaches, we also have to look at shadow I.T, shadow. It is not something that happens because somebody wakes up that day, goes to work, says I'm going to screw the boss, set up something just to mess with them, shadow it happens because they need to get their jobs done and bad things can and will happen.
Now. I spent nine years in control systems and during that time I worked for one company that used to be part of a larger company. Excuse me. That company was split into five different companies, and at one point we had this network anomaly we're looking at, and we're like, what is going on here? We couldn't, for the life of us figure it out.
There was some switch or a switch or router or something was running out across the network and we're like, something's not right here. We went through the entire inventory and nothing matched up to what we had in the network. So I said, all right, let's go ahead on the race floor. And I said, what is that going to accomplish?
And I said, we can't figure it out from here. We have to go there and do a hard target search. Got the tile lifter. Boom one boom two boom. Third tile comes up. What's staring back at me is Cisco was at 1750. There was a router under there that was still connected back to one of the companies that used to be part of the original companies, who was now our competitor.
We were able to talk to them. They didn't know it was in place either, so panic ensued. Everything was fine. We were able to pull the plug. But this just goes to show you the examples of things that we have should have solved years ago, yet continue onwards. And when we're dealing with the evolutions of threats, we have to realize that there is a common thread amongst all of them, and we have to look at the data that is a key piece of the puzzle.
And when we talk about the complexity, complexity and things like that, it's just because with high end compute time, with cloud compute time, with God help me, I we have gotten bigger, better, faster and dumber. And this kind of thing happens to this day. This is from a site called Information is Beautiful dot net. And they did data visualization for all of the data breaches and the size of them.
Back in 2012 I started tracking data breaches because apparently I needed a hobby. And in that I found that the biggest one at that time was LinkedIn, with 6.9 million records. That was big news back in 2012. Flash forward to 2024. We're dealing with orders of magnitude of billions of records. It's not getting better. It's getting far worse.
Then we flip it on its head. Ransomware. Ransomware really is the security debt collector. And what I mean by that is the reason this works is because so many systems, so many networks are not patched to current or n minus one. And as a result, it provides targets of opportunity. And the attackers figured out how to capitalize on this.
Enter ransomware. If we look down the right hand side here for 2023, which is the latest data I was able to get my hands on, you'll notice the size of the balls are now smaller, and those indicate the size of the target. So the attackers, when they used to go after major corporations, have realized that if they go after the SMB market, they're able to do a lot more damage and still get paid.
That is one of those risks when we're dealing with shadow it, because when shadow it stands up, they put out these systems, they spin them up, they get their job done, but they don't patch them. They don't configure them properly. And oh yeah, it's running production data and connection through your production network. So shadow it. Everybody always needs their definition.
So this is really about risk management as is almost all of security is about risk management. How to protect your organizations because you have you have a fiduciary risk. Sorry. Try that again. Your fiduciary responsibility to do so. And how do we get it. Well it's quite simple. There is a cause behind it. And what happens is people are trying to get something done and they don't have the systems in place in order to accomplish their role.
They're trying to get something done and it doesn't exist. The technology that they need in order to get their job done, or they just can't be bothered dealing with the internal politics of getting a system deployed.
And then there's the password failures. So the really interesting thing is when we're looking at passwords and we've been beating up on this for so long, like, Perth Arnstein, who runs Password Con, he and I used to go back and forth because I used to talk some great deal about MFA. That's a great way to reduce risk.
And it is. But he was fundamentally saying that passwords are absolutely fantastic thing and I'm not going to beat him up for it. I don't necessarily agree, but we still have the exact same conversation about weak passwords. Reuse easily guessed. And a lot of this boils down to the human behavior convenience versus security. Here we are 30 years plus.
After I started my career in this field, I still wake up screaming, we're still having this conversation. And then there's the data. And nowadays we see so many data breaches. S3 buckets are one of my favorites because it keeps happening over and over again. Now, an S3 bucket, if you're not familiar with it, is a data repository.
You can spin up an AWS, you put whatever you want into it. Now, I wrote an article for Forbes years ago where I showed step by step, including screenshots that when you do this, it says in big, bold letters do not make this public unless you absolutely know what you're doing. Unfortunately, S3 buckets are usually spun up by somebody in marketing, somebody that is just trying to get their job done.
And unfortunately we're back to having that shadow it problem. Then there's the problem of putting data on laptops to go home and work on it on the weekends. Yes, we're still having this conversation. We need to look at ways to, you know, make sure that we're having encrypted devices. There's no reason not to at this point. We need to look at extended access management to fill in that gap, to deal with shadow it, to deal with unmanaged devices in your organization and strong policies defined, repeatable process will help a great deal in many organizations.
I've been in too many companies over the years where there would be something happen. All hands on deck. Everybody's hair on fire. But what did we really achieve? We spent an entire day running around with their heads cut off, and this was really frustrating to me. To find repeatable processes that you practice in your organization will really go a long way to help, and we have to learn lessons from these data breaches.
If you look at medical, the medical field, if you look at jurisprudence, these fields have been around for so long that they have canon, they have developed these processes, they've developed the lessons learned, they've made mistakes along the way. Something as simple as hand-washing. At one point in time, people didn't wash their hands because they didn't know any better.
But then one doctor figured out that if you washed his hands, the rate of fatalities in his ward dropped significantly, and that's when he was able to make the connection. When we're looking at those data breaches, we have to look at what went wrong far too often, especially in the United States. If we want to find out what went wrong, we have to wait for the SEC.
Finally, because organizations don't really want to share that message. They don't want to expose what they did wrong. Employee training is another one. There's been so many times in this, in this field where I've had discussions with people who have been in the field as long as I have, and they say, oh, security awareness training is useless, doesn't do anything.
I said, well, it's ineffective if it's not approached in the right way. You have to do some use something that is going to land with the users that you're trained. Because if you vilify the users, what are you going to get a whole lot of problems. If you have a rolled up newspaper and you hit it across your dog's snout, it's going to stop barking, but it's going to do all kinds of horrible other things because it's very upset.
We want to make sure we're not doing that because bad things can and will happen. Capital one for you back in 2019, had a 100 million credit card applicants exposed because of a misconfigured, misconfigured WAF. Panera bread had a couple of breaches. 2018 is a well-documented one where again, shadow. It was spinning up a system and the attackers got in 2024 they had another breach.
That part has still not been fully disclosed as to what transpired. There. Uber. They've had several. At one point they had 57 million users exposed. If I line up all of the free credit reporting I have, I'm good to about 3042. And then the Dow Jones. So again this was another S3 bucket and unapproved one. So it's like trying to figure out how we can do this better.
We've been doing this for so long. As an industry, if you want to call security in the industry that we should have learned these lessons, we need to capture them. We need to document them because things like shadow, it really prey on the connective tissue that is between all of these systems. For example, if I ask everybody in this room if they have controls in place, sorry, controls in place technologically as well as policy based to protect against shadow it, I'm guaranteed everybody will put a hand up.
Now I'll ask these same people. Do you have shadow anti in your environment? The ones not putting their hand up. You're lying. We all have it. And this is one of those things where we have to figure out how to get better at protecting them. Then we got to look at the psychology of passwords and why the users do the silly things that they do.
And a lot of the times it is really about, you know, the ease of recall, how they can better control that. So my passwords are completely insane. Yes. I work for a password manager company, but I'm not pitching that. I've used other products as well, but the whole point here is I was able to make them completely insane and virtually impossible to guess.
Excuse me? And if they got compromised, it would be a very long time. For a rainbow table type cracker to get through them. Password fatigue really does lead to problems. So when the users are trying to create these new passwords, it'll be like Monday one Monday to Monday three malicious compliance. We want to find ways to better empower them.
And there are all sorts of technologies out there that can improve how we do these things. And failing that, we always have the standard how to do a good password.
Now, normally I would have a coffee with me, but I forgot it out in the hallway. So this is where I had my coffee break. There we go. Moving on. We got to figure out better ways to manage our passwords. Multifactor authentication. Absolutely. Great way to reduce risk in your organization. How many of you how many organizations in here are on a path towards a zero trust type journey?
Cool. This is a great way to get started. If you haven't gone down that road because you quickly reduce the risk profile for your organization. Also looking at passwordless solutions. Biometrics. Fido two Passkeys. Google has gone all in on Passkeys as an example. This is a way to make it easier for the user to get their job done, but reducing the risk to your organization as well.
Full disclosure I work for a password manager company. It helps reduce the risk. Again. We also have to look at innovative approaches to, data protection. We can't just dump things in S3 buckets and think everything is going to be fine, because if you go through GitHub, you can see there's all sorts of different scanners there that you can just download and go.
You want to be proactive in your security program. Being reactive is really going to put you on the back foot all the time. And I've worked in organizations in the past where we were on a back foot all the time. Something happened. It was all hands on deck. I wouldn't get home till 3:00 in the morning because Ned in accounting did something stupid.
This is not a way to run a business. We have to look at how we can move towards systems that are antifragile. And what that means is a system that can take a hit, but then come out stronger as a result. We have technologies out there that can do exactly this. We have to be able to match the adversaries where they live, because the media will say, oh, the evil hackers.
Hackers are people with a fundamental curiosity that are trying to figure out how to tear something apart, learn about it, and move on from that point, how they can improve matters. It's not a negative, so we have to own that narrative back again. We have to figure out how to embrace continuous learning in our field. Every day is something new, and I think that's why I stuck around this long, is because I've never had two days that were the same in my career, and I call myself very fortunate for that.
Then we have the introduction of AI drink. Where? Yes, the if then else on steroids will help because I've yet to find an organization that had all the security people they want or need, all the tools they want or need. So we got to figure out how to do more with less, how to improve things.
And being approaching like this, like there's a book by, Nassim Taleb who he wrote this book called The Black Swan. I think I butchered the night, but it's basically Black Swan. And the whole idea here was looking at events through time, both kinetic as well as cyber, where people could look back and say, oh, well, it was obvious it should have been X.
And that's really the fundamental crux of it, something that has a material impact, extremely significant, but in hindsight was easily remedied. So we have to look at ways that we can improve this. And there was one military that had the 10th man principle. And what that what or 10th person principle and what that was is if you had nine people in a room that said the sky is blue, the job of the 10th person was to say, actually, it's yellow, and then argue as to why.
So you had that counter point. So you didn't just blindly accept what everybody else was saying. We have to institute this sort of thinking into cybersecurity so that we are making sure that we are not repeating the mistakes that we've seen so many times, so many vendors, so many customers, so many companies out there that have made these missteps and absolutely turf toed that it didn't have to be that way.
Systems that are fragile, that are susceptible to attack. But you want them to be resilient. You have to figure out a way to build them up so they can take a punch. I used to work at a company called Akamai, where our whole network premise was built on being able to take a punch and come back stronger. It is possible to do this.
There are all sorts of different solutions out there that can help us shadow it, type things, but we have to stop kidding ourselves and look at ways to improve things overall. We got to be better prepared. If you have a breach, are you like my old company where I'd be running around with my hair on fire? Or do you have clear delineation as to what needs to happen?
I see a couple people over here laughing. Let's either a good thing or a bad thing. You have to figure out how you're going to respond and practice that in your organization. And do you have a matrix team that's going to respond, you know, somebody from crisis communications, somebody from IT security? Da da da da da, somebody from legal?
I was on a panel in Nashville about a year ago. And the question they came across the stage and asked all night, nine old white men on the stage what they would do. I did take issue with that, by the way, as they went across, everybody's like, oh, I call the head of security. All I call this, I call that.
And they got to me. I said, I called the lawyer and that was it. Yeah. Exactly that. The audience laughed, but I was being entirely honest because that was part of our game plan. In the last company that I was in, you called legal, and there was a call that would happen after that. Of all the people that need to be pulled in.
And in the event of a breach, you have to have some sort of notification process. When you're dealing with your stakeholders, you can't have a data breach with millions of records. Go out there and just go, no, no, we're fine. Everything's good because you have a fiduciary responsibility not only to protect your organization, but if you're publicly traded, well, there are laws.
Now, the reason why I shadow it happens. This is something I was talking about earlier. Speed and convenience. A lot of companies, when they're trying to build up something new because companies are always telling their staff they have to innovate, they have to get out there and do something new and exciting in order to prove business. So they'll go do that.
But if the existing infrastructure does not support what they're trying to accomplish, they're going to find a way around it. Perceived inadequacy. That's the big one. That is the one that comes up time and again in one bank I was working at many, many moons ago. We went through and looked at all of the credit cards, our corporate credit card statements that had been submitted for reimbursement, looking for AWS.
That's how we were able to find our shadow IT installations, because we didn't have the proper visibility in that bank in order to find the what we were looking for. And because these folks were trying to innovate, they were trying to experiment and try stuff that was new. They weren't doing it out of a sense of malice. As security practitioners, we have to be a business enabler.
How many times have you heard that security is the Department of No? Security is the flaming sword of justice. Security will not allow that. Security is there to empower the business. We have grown up. Beyond that, we are that dog that would chase the car down the laneway and we finally caught the bumper. Now we got to figure out what to do with it.
Because when you're dealing with shadow, it. Unfortunately, every time I see a shadow IT installation in whatever company I've been in in the past and almost always, always use production data, that's a risk. So you have the risk of the data loss. That's one piece of it. Without proper oversight into a shadow IT platform, you don't know how that data is being used.
You don't know if it's being dumped in an S3 bucket. And you're on the front page of the local newspaper. The next day, you're really increasing your risk. And that's something that is eminently avoidable. Then you have the risk of compliance. So if you have these systems are spun up, if they are, if you're in medical, if you're in finance, you have sets of rules that govern how you're supposed to approach things.
And if you are not in lockstep with those rules, you could be subject to significant fines.
And those fines pile up and they impact the bottom line. Your company could have a huge come on in. Okay. There you go. Yeah. Come on. I just love it when they peek in the room like, hey, I'm not sure. What was that coming for the next. Oh, not Andy Ellis. So you have the risks to the bottom line.
You have that financial impact to your organization that can't be understated. This is something you have to always keep in mind because stuff like this will happen. How many people have ever been in a production system or production network, walked out on the floor and seen a beige desktop? I expected a few more hands, but this is usually running code written by a summer student.
But it has become mission critical and nobody has a clue how to pull it off. This is the kind of problem that still exists today, because we have so many companies out there that will say, oh, we're cloud first. But when you pull back the curtain, see, the great AWS is lying to you. Then you realize only about 50% of companies out there really are cloud.
First, what I mean by 100% cloud. There are so many companies that are still either on prem or a hybrid type of approach. And a lot of those are large organizations, deep pockets and a lot of sunk costs. So one example of this was I had one system where nobody can figure out what it was doing. It wasn't in their asset inventory.
It wasn't documented properly anywhere, and it was doing silly things. So I had reached out to all the project leaders and said, where is who owns this box? Nobody fessed up. So I pulled the Ethernet cable. Not a not a process I recommend, but I was at my wit's end. And then I attached a letter to it. I said, to whom it may concern, this box was acting up.
We've tried to communicate to all the project managers. We have taken this offline until further notice and signed it and put the date. Sure enough, the person who actually owned the system came down screaming bloody murder beat Red in his face. He's like, I'm going to have somebody on a stick. Why is this system offline? I said, well, we did reach out.
You were on the email. We were looking for the person who owned this system, trying to figure out why this was doing what I was doing. He said, this is mission critical. This has to be online. I said, okay, there's a letter there for you. You open up the letter. He folded it up, handed it back to me.
So terribly sorry. Thank you for your time left. The letter was dated nine months earlier. It took him nine months to realize that that system had been a problem. Or offline. So we have case studies database that was pop 5 billion records in 2021. Another system 260,000 customers data exposed due to a woops, another company 530 million users exposed.
But they didn't tell anybody because they thought nobody would notice. The attackers dumped them and dumped the data in public. Some of these you'd be able to figure out rather quickly with a future of cyber security, we have to look at stuff like Zero Trust architecture, zero trust, spit on the floor or love. It doesn't matter. It's about risk reduction.
Fundamentally reducing that risk. Looking at things about micro segmentation, extended access management, the rise of and cyber insurance is coming up. It's frustrating to me because I actually wrote an article for Forbes a while back, and in order to get cyber insurance, I took a bunch of the intake forms from multiple companies. Anybody trying to apply for it would fundamentally have to lie in order to qualify for insurance.
Down one of them. Have a look. You'll see what I'm talking about. Another piece was the KVM fallacy. There was one power company I was working at. They said, if you want to work on the production systems, you have to go into the KVM room. That's the only way to attack to attach to products attached to production systems.
Well, me being me, I went back to my desk and I went, what do you want to bet? Fired up Remote desktop right into the system? Yeah, there was no separation. There was no network zone segmentation. I could quite literally attach to any of the production servers. And I knew the credentials so I could literally go in and change anything.
And nobody would have noticed. These are the kind of things we have to move away from. And we say, oh yeah, we're secure. We checked all the boxes. We have to realize the road to hell is paved with good intentions, and that increases our risk. We have to look at ways to get data loss prevention under control, adhering to compliance, protecting against security attacks.
We have to figure out how to tighten up the access trust gap between the internal core systems and the what people are using at home. And the gap in between is really fundamentally where shadow it lives. Admins worry about it, but they don't necessarily have the capacity to do anything about it. Many companies have a stack to approach this, but shadow it slips through the cracks because they check the box.
Yes, we have controls in place. Yes, we have policy. And yet it continues to exist. Schrödinger's IT security problem. We need to tackle those threats before they grow. A great example of this bit of a sidebar I went for a colonoscopy not that long ago. I thought, everything's fine, everything's fine. My wife said, no, you're going. Sure enough, they were able to head off a problem that I didn't even know was there.
I had assumed everything was fine. I was eating right, I was exercising, but I was wrong. We have to apply that same sort of mentality to cybersecurity. Even though you think you're secure, even though you have all the toys, you have the options or the spinning rims. You have to constantly have a 10th person that looks at the other nine and says, maybe we should look at it a different way.
Thank you very much for your attention today, and if you want to learn more, head over to 1password.com. And thank you very much for listening. Thank you, HOU.SEC.CON., for having me back again this year.
