The document discusses how network, endpoint, cloud, custom development, off-the-shelf, and security tool security are all difficult to implement effectively. It notes that attacks can come from many vectors, including supply chains, social engineering, and zero-day exploits. The document argues that while nothing is perfectly secure, organizations must work to manage risks through long-term policies, trained security personnel, standardization, vendor responsibility, and limiting zero-day vulnerabilities. The overarching message is that cybersecurity is a complex challenge due to the inherent insecurity of modern computing systems and interconnected networks.

1. Nothing is secure
Bozhidar Bozhanov

2. About me
● Software engineer and architect
● Founder of a cybersecurity startup
● Minister of electronic governance of Bulgaria (2021-2022)
● Member of Bulgarian parliament
● https://techblog.bozho.net
● Twitter: @bozhobg

3. Network security is hard
● What is “network security” anyway?
● Network firewall, WAF
● Network segmentation, DMZ
● IDS?
● VPN / ZTNA
● DNS securuty
● DDoS
● Email security (in & out)
● Honeypots
● ….

4. Endpoint security is hard
● AV/NGAV/EPP/EDR/XDR?
● DLP
● BYOD policies
● USB policies
● AD/Azure AD
● Mobile security, MDM
● IoT
● Printers (example: Bangladesh bank)

5. Cloud security is hard
● IaaS configurations
● IAM, API access
● Container management
● Cloud monitoring, security centers, agents
● SaaS - MFA
● SaaS - “trust us”
● SaaS - shadow IT

6. Custom development is hard
● OWASP
● Configuring =CSP, CSRF tokens
● Upload filters
● XSS - input & output
● Access control per HTTP endpoint
● Dependency management, hot patching
● SDLC
● Regular pentests

7. Off-the-shelf security is hard
● “Custom software is hard, I’ll get something off-the-shelf”
● Same problems, but outside our control
● Which ports does it use?
● How do we collect the ogs (example: SAP security audit log)
● How to hide problems behind the firewall?
● Virtual pathing
● Vendor goes bankrupt/acquired/stops support

8. "No problem, we’ll get the best security tools
and that will fix things"

9. Security tools are hard
● Sometimes missing exactly the thing that we need
● Blocks normal usage, but lets the bad guys in (example: downloading binaries as
base64 text files)
● Expensive
● Allegedly integrated, but you need many tools which hardly talk to each other
● Data sheet (only) functionality
● False positives

10. Attacks abound
● Supply chain (solorigate)
● Pseudo-airgapped (Jeep hack, VLAN-”airgapped”)
● Unvetted companies and experts (“where did this backdoor come from?”)
● Physical access compromise (MIFARE classic, HRM integration)
● Social engineering (“weakest link”, example: “not my job to care”)
● 0days (example: Pegasus iPhone 0day)

11. All of that is hard
even if we have qualified people

12. Many organizations don’t have them.
The public sector doesn’t have them.

13. We’ve built something overly complex on a
bunch of silicon, “mirrors” in a tube and 0s
and 1s. There’s no built-in security, it’s
always added later.
That makes things very, very hard.

14. Nothing is secure…
...but we have to manage risk

15. Government at the moment

16. Long-term policies
Trained people
Standardization
Responsibility of vendors
Limiting 0day stashing

17. Nothing is secure…
…but it has to become less and less insecure.

18. Thank you!