(ISC)² Security Congress 2021 - day three

Rounding out the conference on day three with some fantastic speakers.

(ISC)² Security Congress 2021 - day three

I started my day with some careers advice work, using both the resources from the online careers centre and chatting with Suzanne Ricci again.  Today we discussed my CV and LinkedIn profiles so I've got a few things to do there.  Just to reiterate - I'm not looking at changing jobs any time soon, but you never know what's going to happen in local government!

Keynote, Jane Frankland: Women in Security -  A Strategy for Safety

Cybersecurity, and IT in general, has problems with image and culture.  Don't believe me?  I invite the reader to undertake their own supplemental reading as there's plenty of reports and books (at least one by Jane) that focus on the problem.

Jane discussed how men and women are different in the way they think and how we can all benefit from that diversity.  Indeed, uniformity of thinking can leave you blind to attacks from an adversary that thinks in a different way - the more brains and thought processes the better.  Research has shown that group intelligence also increases with women in the group, compared to just men.  Note though that Jane did not say women were better than men - she only remarks that they're different.

So, how do we fix the image and culture problem?  Looking at culture first, one thing that men who support women in tech / cybersecurity can do is call out bad practice and attitudes.  Sadly it was necessary to do that during the keynote, less than ten minutes in, when one person with a historically male name said:

What a waste of time to watch this woman

Jane had barely started speaking when that message was sent and a number of us called the commenter out[1].  As I understand it the individual was ejected from the session - good.

Change often starts in language, and in recent years we've seen a reduction in the use of terms such as "blacklist" and "master" as these are known to cause offence to some groups.  Jane reminded us that we can change the language we use, for example not talking about the glass ceiling[2], to make jobs and the industry more attractive to women.  Another important thing to do is to stop blaming women for problems caused by (or encountered by) men.

Recruitment practices are often subject to bias, particularly unconscious bias.  I've noticed myself when reviewing applications that I'd much rather not know the name or gender, although sometimes knowing the year of a university degree would be useful, because that may mean I'd know what was covered.  Jane seems to advocate recruitment based on work samples to determine competence as looking at CVs can give rise to bias.  I'm not sure how you solve the initial shortlisting process, but it's an interesting suggestion.

For those worried that Jane's recommending we exclude men, I'll paraphrase one of the key things I've taken away:

We have to make sure men are not excluded, don't feel alienated, don't feel threatened, in order to make things better for all people.

Let's work together to make our industry really attractive to everyone, for the betterment of everyone.

Keynote, Lisa Forte: The Rise of the New Inside Threat

Go back to the pre-smartphone era and if you wanted to steal company secrets you had to find a way to smuggle them out of the office - hiding papers in your gym bag or tossing folders out of the window for example.  Now that many carry a camera it's easy to take a photograph of proprietary or sensitive information.  Opportunities for malicious insiders are greater now than ever.

Lisa went on to tell the story of John, a scientist targeted by a third party purporting to be a woman he'd find romantically interesting.  Planning for the attack seemed to take months before John was talked into watching his girlfriend's dance video on the lab PC ("it only works on older hardware").  As Lisa put it:

A little less MP4 and a little more malware

To an attacker, insiders are very valuable.

So, how do you stop your employees from being prepared to share secrets - willingly or by being tricked.  Lisa reached for history and told us about the Soviet Union's City 40, where the residents were given such perks and preferential treatment that they accepted the fact they weren't allowed to leave.  There was no permitted communication with the outside world.

Clearly we can't lock or employees up in the office!  Lisa's point was that the people in City 40 felt incredibly well treated so they remained loyal.  We need our employees to feel that way too.  In that way security is a bit like marketing - we have to sell the idea of doing the right (security) thing to colleagues so they see the benefits and instinctively want them.

Paul Schwarzenberger: AWS, Azure and GCP security

I've got some experience with AWS and Azure, and have done some Pluralsight courses on each, but GCP is largely an alien to me.  In Paul's talk he demonstrated three security areas and graded each provider accordingly:

  1. Administrator identities
  2. Network perimeter security
  3. Content Delivery Network tools

Given the connected nature of cloud hosted applications and workloads it's important to consider that an individual could exfiltrate data from the company's cloud environment to their personal one.  Where possible, use controls to help prevent that scenario.

Some organisations are going multi-cloud which presents additional challenges in terms of expertise.  Determine if your organisation needs multiple clouds, then use each cloud for its strengths.  Ideally stick to a single identity / authentication source - for example Microsoft's Azure AD.

Joseph Carson: FROM ZERO TO FULL DOMAIN ADMIN - Tracking the digital footprint of a ransomware attack

(The capitals come from the talk title, not me!)

I'll confess to being somewhat of a voyeur when it comes to desk builds, office setups and case studies for incidents.  I was looking forward to this talk because I feel it's important to learn from issues experienced by others, and Joseph covered a real attack that he helped respond to.

First up, we need to make sure we force attackers to make as much noise as possible.  I'm not talking about causing them to trigger sirens, but in the digital space causing an attacker to leave lots of log entries is the next best thing.  Having log entries is only half the battle though - someone, or something, needs to look at those log entries.  That's where a Security Information and Event Management (SIEM) system and correlation engine comes in.  Also, make sure logs are centralised and "off-box" so an attacker can't erase them.

Chances are it's only a matter of time before your organisation suffers a major security incident so it's crucial that you're "incident response ready".  I commented on this in yesterday's post, and rehearsing response is something everyone should be doing.  Joseph also suggested having a go-bag (something else that came up yesterday)[3] reminding us to include a jumper - data centres are cold!!

In this particular case the attacker gained access to the organisation's network after the finance department had a workstation exposed to the Internet via Remote Desktop Protocol.  It looks like the attacker then brute forced their way into the device (PSLogonFailures is a tool I wrote to help combat that) before gaining a persistent foothold.  From there they managed to steal domain administrator credentials and move laterally onto a domain controller before trigerring their ransomware payload across the network.

To reduce your risk:

  • Don't publish RDP directly to the Internet!!
  • Move towards micro-segmentation and zero trust architecture
  • Educate staff and run awareness campaigns
  • Have a good, tested, offline, backup
  • Follow the principle of least privilege (in this case the finance staffer was an administrator of their computer)
  • Have a vulnerability management programme
  • Use logging analytics and alerts
  • Look at just in time privilege granting, rather than persistent privilege

Day three conclusion

It really felt like today went quickly, and I suppose it did.  Nonetheless the talks I attended were excellent and gave much to think about.

Overall conference conclusion

As I mentioned, this is the first conference I've ever paid to attend and I think it was worth the money.  Not only have I enjoyed the sessions I watched live I've still got access to the others, saving me trying to invent a time turner (from Harry Potter) and meaning I can increase the value of the conference by watching them afterwards.  I just need to make sure I do so.

I've found the career workshops particularly useful, especially the one to one sessions.  I still don't know exactly where I want to go with my career but I have a better idea of how to work it out.

What's next?

Thank you for reading my end-of-day posts (day one here, day two here).  I'll be adding some more blog posts to this series, probably over the coming weeks, that reflect on the fact this was purely online and considering how that worked as a platform.  I'll also be looking at the talks I couldn't attend after I've watched the recordings.

Banner image:

[1] Personally I emailed one of the conference staff and commented that action should be taken, particularly if the person was an (ISC)² member as they're in breach of the code of ethics.

[2] Related anecdote.  My wife once worked for a large company that were going to build a glass bridge through one building to allow staff to cross a canteen without entering it.  The project was a long way through before she pointed out that a glass bridge would have meant upskirting was possible.  I believe they frosted the glass as a result!

[3] All this talk about preparedness and go-bags has me wanting to be a prepper, if I'm honest.