Infosec has seen a lot of change...from the 90s, 2000s, and 2010s...so much has happened. Yet, some things remain the same (and why all of us have jobs). Now that we've crossed into 2020...what are our lessons learned and how can we apply them? Let's take a look forward to Security 2030: the next decade.

1. 2030: THE NEXT DECADE
CHRIS SISTRUNK
BSIDESHUNTSVILLE 2020

2. ABOUT ME
Chris Sistrunk, PE
@chrissistrunk, #DJaaS, #NAPCON
Technical Manager, FireEye
• Mandiant ICS / OT Security
Electrical Engineer, Entergy
• Transmission & Distribution
• SCADA / Substation Automation
• 30+ DNP3 implementation vulnerabilities
• Substation Security Team
BSidesJackson Founder
BEER-ISAC Co-Founder

3. BSIDESHUNTSVILLE 2020
Infosec has seen a lot of change...from the 90s, 2000s, and
2010s...so much has happened. Yet, some things remain the
same (and why all of us have jobs). Now that we've crossed into
2020...what are our lessons learned and how can we apply
them?
Let's take a look forward to Security in 2030: the next decade.

4. WHERE ARE WE NOW?

5. https://fossbytes.com/windows-7-end-of-life-what-to-do-next/

6. https://fossbytes.com/windows-7-end-of-life-what-to-do-next/
https://www.wired.com/story/pwn2own-industrial-hacking-contest/

7. • Machine Learning/AI
• Threat Hunting
• Cloud Monitoring
• Bug Bounties
• Highly Interactive
Honeypots
• IoT all the things
• WAVES &
QUADRANTS
•CYBERWAR

8. DFIR REMEDIATION FOR SMART LIGHT BULBS
https://www.youtube.com/watch?v=1BB6wj6RyKo

10. WHERE HAVE WE BEEN?

11. ”
“The thing that hath been, it is that which shall be;
and that which is done is that which shall be done:
and there is no new thing under the sun.
Ecclesiastes 1:9

13. Syracuse Journal, December 3, 1910
Automotive Industries, 1906
$4,000 $114,210

14. http://jalopnik.com/5564999/the-failed-electric-car-of-henry-ford-and-thomas-edison

15. Power Grid monitoring & NSM timeline
1888 1965
William Bristol
Chart Recorder
19001880 20171920 1940 1960 1980 2000
First SCADA Systems
Digital
SCADA
Northeast
Blackout
Digital
Relay
Digital
Fault Recorder
2nd Northeast
Blackout
2003
3-Phase AC Grid
Conception
Ethernet
SCADA
1988 1990 2002
Network Security Monitoring
Network
Security
Monitor
USAF
DISA
NSM
Defined
Bro,
Snort
1998
PMU
NERC
Disturbance
Monitoring
PRC 002-2
NERC

16. https://twitter.com/amitranjan/status/815389401974861824

17. COMPUTER SECURITY AXIOMS
1. "If a system or network is vulnerable to legacy malware, then it is certainly
vulnerable to targeted attacks." Christopher Sistrunk 2016 (Sistrunk's Axiom)
2. If an attacker can use an existing feature of a targeted system, then they
aren't required to use a zero-day. Ralph Langner 2011
3. "Give a man an 0day and he'll have access for a day, teach a man to phish and
he'll have access for life." @thegrugq 2015
4. Compliance does not equal security. (unknown)
https://github.com/chrissistrunk/SecurityAxioms

18. COMPUTER SECURITY AXIOMS
5. "A backdoor for one is a backdoor for everyone." @munin 2017
• "But the reality is if you put a back door in, that back door's for everybody, for good guys and bad
guys." Tim Cook 2015
6. Security is a journey, not a destination (unknown)
• Earliest reference to full quote above is by Joel G. Ogren in 1999
• "Security is a process, not an end state." Mitch Kabay 1998
• "Security is a process, not a product." Bruce Schneier 1999
7. If something (has code/is online/has a computer chip), it can be hacked (multiple
variations)(unknown)
• "As society becomes more and more computerized, it becomes eminently more hackable." Deth
Vegetable, Cybermania 1994
• "Everything is hackable" A.J. Reznor 1997
• "Whenever an appliance is described as being 'smart', it's vulnerable." Mikko Hypponen 2016
https://github.com/chrissistrunk/SecurityAxioms

19. COMPUTER SECURITY AXIOMS
8. "Security's worst enemy is complexity" Bruce Schneier 1999
9. "Ability to type on a computer terminal is no guarantee of sanity, intelligence,
or common sense." Eugene Spafford 1987 (Axiom #2 from his Axioms of
Usenet)
10. Any security technology whose effectiveness can't be empirically
determined is indistinguishable from blind luck. (Geer's Law) Dan Geer 2003
• "Geer’s law is a paraphrase of the analysis first presented in 'Information Security: Why
the Future Belongs to the Quants.'” - Ian Grigg & Peter Gutmann 2011
https://github.com/chrissistrunk/SecurityAxioms

20. WHEN DID YOU START IN INFOSEC?
• 1980s or before
• 1990s
• 2000s
• 2010s

21. https://abelmvada.tumblr.com/

23. FOR ME?
I grew up with computers
• First computer – 8088 IBM PC
Clone
Prodigy / AOL
• HACKED!
BBSes, but no hacking community
• First upload was Wolfenstein 3D
• IT WAS A WHOLE MEGABYTE!!!!
• Anarchist Cookbook

24. FAST FORWARD
College
• LaTech – Electrical Engineering (Power)
• We had a Unix lab
• …but most everyone used pirated WinXP
Real Job
• Engineering stuff
• SCADA?? OpenVMS??
• RTUs?? Motorola 68k??
• RS-232??? 1200 Baud

25. THEN…
• INL AURORA attack (2007)
•S T U X N E T (2010)

26. SAFETY THIRD

27. THEN…
• INL AURORA attack (2007)
•S T U X N E T (2010)
• INL RedvBlue (2011)
• BSidesJackson (2012)
• DNP3 Fuzzing (2013)
• Blackhat / Defcon (2013)
• FireEye / Mandiant (2014)

28. THINK ABOUT WHY
YOU’RE HERE…
AND WHERE YOU WANT TO GO

29. 2020-2030: THE NEXT DECADE

31. WHAT DO YOU
THINK WILL
HAPPEN???

32. https://www.tesla.com/cybertruck

33. GLOBAL TECHNOLOGY
IoT
Voice
Recognition
Artificial
Intelligence
VR

34. USES OF VIRTUAL REALITY
Education
Travel
Medical
Recreation
GAMING
SEX

35. Problem Solving
Algorithm
Automation
6G
NETWORK TECHNOLOGY

36. WHERE ARE WE GOING?
WHAT WILL IT TAKE TO GET THERE?
• Will the past keep repeating itself?
• Humans will be humans
• The technology explosion will continue,
can security keep up?
• Was the loss of $$$$$$$$$$ enough?
• Will it take loss of life due to cyber-physical attack to truly
move the needle?

37. HEY EVIL
HACKERS!
STOP IT!

38. "SECURITY'S WORST ENEMY IS
COMPLEXITY“ SCHNEIER
1. Use LESS CODE and make SIMPLER
designs? K.I.S.S.
2. YOU CAN’T HACK PHYSICS
• Should we put strategic analog devices in
place?
https://www.csis.org/analysis/case-
simplicity-energy-infrastructure
• Should we have paper backups?
Tim Roxey

39. THE SECURITY PROBLEM MAY NEVER BE
COMPLETELY SOLVED

40. ULTIMATELY
• Ourselves
• Our Families
• Our Friends
• Our Work / Clients
It will come down to:

43. THANK YOU!
@CHRISSISTRUNK
CHRIS.SISTRUNK@MANDIANT.COM