Security Lessons from Dictators
#44Con

September 12th 2013
About me

Jerry Gamblin

Security Specialist
Missouri House Of Representatives
Contact Information:
Jerry.Gamblin@gmail.co...
About this talk

History does not repeat itself, but it
does rhyme.
- Mark Twain
Security Lessons from Dictators
Insider Threats
Et tu, Brute?
Gaius
Julius
Caesar
Dictator Perpetuo of The Roman Empire
Marcus Junius Brutus
49 BC: Fought with Pompey to Greece
during the civil war against Caesar.
48 BC: Pardoned by Caesar.
4...
How does your company defend
against insider threats?
Insider Threats

You can not detect and defend from insider threats from
behind your keyboard.
Insider Threats

Insider threats are not a technical issue alone.
Insider Threats

People who steal your unprotected information are not
hackers.
Edward Snowden
2004: Enlisted in the United States Army as a
Special Forces recruit.

2005: Security Guard for the Nationa...
Could you have identified and
stopped Edward Snowden on your
network?
Incident Response
Executing of the Duke of Enghien.
Napoleon Bonaparte
Emperor of France
Louis Antoine
Duke of Enghien
•

Only son of Louis Henri de Bourbon.

•

Given the title Duke of Enghien at birth.

•

Mil...
Incident Response

C'est pire qu'un crime, c'est une faute
How does your incident response
plan look in real life?
How can security professionals
handle investigations better?
Hacking Back
Suspending habeas corpus.
Abraham Lincoln
16th President of the United States of America
Hacking Back
You are engaged in repressing an insurrection against the laws
of the United States. If at any point on or in...
Article 1. Section 9.
of the United States Constitution

The privilege of the writ of
habeas corpus shall not be
suspended...
Ex parte Merryman
Such is the case now before
me, and I can only say that if
the authority which the
constitution has conf...
Jon Huntsman

Commission on
Theft of American Intellectual Property

Without damaging the
intruder’s own network,
companie...
We'd politely remind
them there's a federal
criminal statute
barring that.
Justice Department's Computer Crime and
Intelle...
What do you think the future of
hacking back (active defense) is?
Advanced Tools Over Proven Techniques
Next Generation Everything!!!!!
I am getting ready to use Adolf Hitler and WWII to make a point
about network security. I am not trying to be flippant or
...
Adolf
Hitler
Führer of Germany
Wunderwaffe
Sturmgewehr 44 - The first assault rifle

Horten Ho 229 - A turbojet flying wing stealth
jet fighter/bomber
Fl...
It has been argued that Germany lost
WWII by picking advanced tools over
proven techniques…
… just like IT security.

 Highly Trained Staff
 Everyone has a CISSP!

 No End User Training
 Unless mandated

 Patc...
Why do security professionals have
such a hard time getting the basics
right?
Poor Security Awareness Training
USB Drives Don’t Grown In The Desert
Grand Ayatollah Seyed
Ali Hosseini Khamenei
Supreme Leader of Iran
Nuclear Program of Iran
• 1957: The United States and Iran sign a civil nuclear co-operation agreement as part of the
U.S....
Iranian Nuclear Scientist Killed
• Masoud Alimohammadi
• January 12, 2010
• Majid Shahriari
• November 29, 2010
• Fereydoo...
Stuxnet
• Computer worm discovered in June 2010
• Written by the US and Israel to attack Iran's
nuclear facilities
• Stuxn...
Bruce Schneier

I personally believe that
training users in security is
generally a waste of time, and
that the money can ...
What are your thoughts on security
awareness programs?
Misplaced Priorities
Kim
Jong-un
• First Secretary of the Workers' Party of Korea
• First Chairman of the National Defense
Commission of North ...
North Korean Nuclear Program
Phase I (1956–80) Start of North Korea’s
domestic plutonium production program.
Phase II (198...
What does your priority list look like
for your security program?
Questions?
Contact Info

Jerry Gamblin

Security Specialist
Missouri House Of Representatives
Contact Information:
Jerry.Gamblin@gmai...
Thank You
Richard Clarke

“If you spend more on printer
ink than on IT security, you will
be hacked. What's more, you
deserve to be ...
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
Upcoming SlideShare
Loading in …5
×

44CON 2013 - Security Lessons from Dictators - Jerry Gamblin

677 views

Published on

What do the Grand Ayatollah Seyyed Ali Hosseini Khamenei, Kim Jong-un, Julius Caesar, Abraham Lincoln, Napoleon Bonaparte and Adolph Hitler have to do with network security? Come and discover the mistakes these dictators made and what they can teach us about network security and how to apply them to our companies and coworkers.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
677
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

44CON 2013 - Security Lessons from Dictators - Jerry Gamblin

  1. 1. Security Lessons from Dictators #44Con September 12th 2013
  2. 2. About me Jerry Gamblin Security Specialist Missouri House Of Representatives Contact Information: Jerry.Gamblin@gmail.com @jgamblin www.jerrygamblin.com
  3. 3. About this talk History does not repeat itself, but it does rhyme. - Mark Twain
  4. 4. Security Lessons from Dictators
  5. 5. Insider Threats Et tu, Brute?
  6. 6. Gaius Julius Caesar Dictator Perpetuo of The Roman Empire
  7. 7. Marcus Junius Brutus 49 BC: Fought with Pompey to Greece during the civil war against Caesar. 48 BC: Pardoned by Caesar. 46 BC: Made governor of Gaul. 45 BC: Made Praetor. 44 BC: Murdered Caesar
  8. 8. How does your company defend against insider threats?
  9. 9. Insider Threats You can not detect and defend from insider threats from behind your keyboard.
  10. 10. Insider Threats Insider threats are not a technical issue alone.
  11. 11. Insider Threats People who steal your unprotected information are not hackers.
  12. 12. Edward Snowden 2004: Enlisted in the United States Army as a Special Forces recruit. 2005: Security Guard for the National Security Agency 2007: Network Administrator for the State Department 2011: Worked for NSA in Japan. 2012: Contractor for Booze Allen Hamilton. 2013: Leaked NSA surveillance programs to the press.
  13. 13. Could you have identified and stopped Edward Snowden on your network?
  14. 14. Incident Response Executing of the Duke of Enghien.
  15. 15. Napoleon Bonaparte Emperor of France
  16. 16. Louis Antoine Duke of Enghien • Only son of Louis Henri de Bourbon. • Given the title Duke of Enghien at birth. • Military school at Commodore de Vinieux. • Fought in the French Revolutionary Wars against France. • Married Charlotte de Rohan. • Arrested for allegedly being part of the Cadoudal–Pichegru conspiracy
  17. 17. Incident Response C'est pire qu'un crime, c'est une faute
  18. 18. How does your incident response plan look in real life?
  19. 19. How can security professionals handle investigations better?
  20. 20. Hacking Back Suspending habeas corpus.
  21. 21. Abraham Lincoln 16th President of the United States of America
  22. 22. Hacking Back You are engaged in repressing an insurrection against the laws of the United States. If at any point on or in the vicinity of any military line which is now or which shall be used between the city of Philadelphia and the city of Washington you find [resistance] which renders it necessary to suspend the writ of habeas corpus for the public safety, you personally or through the officer in command at the point where resistance occurs are authorized to suspend that writ. Lincoln to General Winfield Scott on April 27, 1861
  23. 23. Article 1. Section 9. of the United States Constitution The privilege of the writ of habeas corpus shall not be suspended (by congress), unless when in cases of rebellion or invasion the public safety may require it.
  24. 24. Ex parte Merryman Such is the case now before me, and I can only say that if the authority which the constitution has confided to the judiciary can be usurped by the President the people of the United States are no longer living under a government of laws.
  25. 25. Jon Huntsman Commission on Theft of American Intellectual Property Without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information.
  26. 26. We'd politely remind them there's a federal criminal statute barring that. Justice Department's Computer Crime and Intellectual Property Section.
  27. 27. What do you think the future of hacking back (active defense) is?
  28. 28. Advanced Tools Over Proven Techniques Next Generation Everything!!!!!
  29. 29. I am getting ready to use Adolf Hitler and WWII to make a point about network security. I am not trying to be flippant or disrespectful in the slightest and I understand the extreme cost of war.
  30. 30. Adolf Hitler Führer of Germany
  31. 31. Wunderwaffe Sturmgewehr 44 - The first assault rifle Horten Ho 229 - A turbojet flying wing stealth jet fighter/bomber Flettner Fl 265 - The world's earliest known airworthy synchropter Schwerer Gustav - An 800mm railway gun V2 - First human-made object to achieve sub-orbital spaceflight
  32. 32. It has been argued that Germany lost WWII by picking advanced tools over proven techniques…
  33. 33. … just like IT security.  Highly Trained Staff  Everyone has a CISSP!  No End User Training  Unless mandated  Patch Management System  End Users Have Admin Rights.  Next Generation Firewall  No Auditing of Web Apps.  Shiny SIEM  No one actually checks logs.  New Security Policy Guidelines  Shadow IT has taken over.
  34. 34. Why do security professionals have such a hard time getting the basics right?
  35. 35. Poor Security Awareness Training USB Drives Don’t Grown In The Desert
  36. 36. Grand Ayatollah Seyed Ali Hosseini Khamenei Supreme Leader of Iran
  37. 37. Nuclear Program of Iran • 1957: The United States and Iran sign a civil nuclear co-operation agreement as part of the U.S. Atoms for Peace program. • 1968: Iran signs the Nuclear Non-Proliferation Treaty and ratifies it. • 1979: Iran's Islamic revolution puts a freeze on the existing nuclear program. • 1982: Iranian officials announced that they planned to build a reactor powered by their own uranium at the Isfahan Nuclear Technology Centre. • 1995: Iran signs an $800 million contract with the Russian Ministry of Atomic Energy in Busheh. • 2002: The United States accuses Iran of attempting to make nuclear weapons. • 2004: Iran removes seals placed upon uranium centrifuges by the International Atomic Energy Agency and resumes construction of the centrifuges at Natanz.
  38. 38. Iranian Nuclear Scientist Killed • Masoud Alimohammadi • January 12, 2010 • Majid Shahriari • November 29, 2010 • Fereydoon Abbasi • November 29, 2010 • Darioush Rezaeinejad • July 23, 2011 • Mostafa Ahmadi-Roshan • January 11, 2012
  39. 39. Stuxnet • Computer worm discovered in June 2010 • Written by the US and Israel to attack Iran's nuclear facilities • Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices. • It is initially spread using USB flash drives.
  40. 40. Bruce Schneier I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere.
  41. 41. What are your thoughts on security awareness programs?
  42. 42. Misplaced Priorities
  43. 43. Kim Jong-un • First Secretary of the Workers' Party of Korea • First Chairman of the National Defense Commission of North Korea • Commander of the Korean People's Army
  44. 44. North Korean Nuclear Program Phase I (1956–80) Start of North Korea’s domestic plutonium production program. Phase II (1980–94) Growth of North Korea’s domestic plutonium production program. Phase III (1994–2002) covers the period of the "nuclear freeze". Phase IV (2002–present) Renewed nuclear activities and tests.
  45. 45. What does your priority list look like for your security program?
  46. 46. Questions?
  47. 47. Contact Info Jerry Gamblin Security Specialist Missouri House Of Representatives Contact Information: Jerry.Gamblin@gmail.com @jgamblin www.jerrygamblin.com
  48. 48. Thank You
  49. 49. Richard Clarke “If you spend more on printer ink than on IT security, you will be hacked. What's more, you deserve to be hacked."

×