The document discusses the current state of cybersecurity, highlighting a significant talent shortage and the challenges posed by outdated technology. It emphasizes the complexity of cyber threats from various actors, including cybercriminals, hacktivists, and nation-states, and urges the need for increased awareness and better collaboration to combat these threats. The author, Ben Johnson, offers actionable steps for organizations and individuals to improve their security posture, such as updating systems, promoting cybersecurity awareness, and integrating security into software development.

1. STATE OF THE CYBER WORLD
A LOOK AT THE DIGITAL ERA FROM AN INDUSTRY INSIDER
BEN JOHNSON - NOVEMBER 2018
CTO/COFOUNDER OBSIDIAN SECURITY

2. WHO IS BEN?
HOW ARE WE DOING?
WHY ARE WE HERE?
WHAT’S GOING ON?
IS THERE HOPE?
HOW CAN I HELP?

3. BEN JOHNSON
Ç
Co-Founder and CTO, Obsidian Security
Co-founder and former CTO of Carbon Black, built the
first EDR product; Previously, NSA CNO and AI Lab
2000 20172010
Employment
Board Seats
1st Technical Advisor to US FISA Court (Dept. of Justice)

4. WHY ARE WE HERE TODAY?
EDUCATION & CONTEMPLATION
“FORCED REFLECTION”

5. THE DIGITAL WORLD
Explosion of Online Devices
Explosion of Online Users
Explosion of Online Data

6. HOW ARE WE DOING?
6

7. WHAT’S GOING ON HERE?

8. HEADLINE
8
LACK OF ESTEEM
Largely because of the
talent shortage and the
decaying tools, teams
have very little confidence
that they can make a
difference. This leads to
slower progress and
playing it safe.
Products should get better,
more effective over time,
and yet they actually get
worse. This applies to IT
and the overall environment
too. Rusting, aging
technology at the forefront
of our cyber battle lines is
not a winning strategy.
DEPLOY-AND-DECAYTALENT SHORTAGE
~~1,000,000 open
security positions —
that’s a lot of empty
chairs! It really hurts
our collective ability to
defend.
LACK OF AWARENESS
Individuals, employees,
and companies don’t
realize the scope and
scale of these
problems.

9. AWARENESS
We Must Understand
The Power of the Dark Side

10. SOPHISTICATED GROUPS
10

11. Cybercriminals
• Broad-based
and targeted
• Financially
motivated
• Getting more
sophisticated
Hactivists
• Targeted and
destructive
• Unpredictable
motivations
• Generally less
sophisticated
Nation-States
• Targeted and
multi-stage
• Motivated by
data collection
• Highly
sophisticated
with endless
resources
Insiders
• Targeted and
destructive
• Unpredictable
motivations
• Sophistication
varies
DIFFERENT TYPES OF THREATS

12. MAJOR ATTACKS

13. 2013 - TARGET
2015 - OPM
2016 - DYN
2014 - SONY

14. 2013 - TARGET
Compromised via a Third-
Party Vendor (HVAC)
Easy Reconnaissance;
Ignored Initial Alerts
Russian Crime Syndicate;
17 yr old wrote the malware
1
2
3
4
Internal Infrastructure Used Against
Themselves

15. 2014 - SONY
Internally Everything Destroyed;
Whole World Saw Emails and
Sensitive Information
Most of the Company Had Too Much
Access; Passwords were stored in files
named ‘Passwords’
GUARDIANS OF PEACE
(North Korean Government)
1
2
3
4 Warning Signs were Ignored

16. 2015 - OPM
Compromised Using Defense
Contractor’s Credentials
Encryption is great, but it doesn’t stop
those who have passwords or
credentials
Chinese Government1
2
3
4
Data Stolen During Holiday Weekend
When Staffing was Light.

17. 2016 - DYN
Millions of Compromised
Digital Video Cameras
(some say 100,000)
Unpatched IoT Devices
(Video Cameras)
Hackers - For Profit or Other Motive?1
2
3
4
Plenty of Individuals, Companies,
and Vendors to Blame!

18. MORE EXAMPLES

19. MORE EXAMPLES
OK, OK, ENOUGH!

20. IT’S GETTING EASIER

21. PUBLICLY AVAILABLE TOOLS

22. CRAFTING AN ATTACK

23. RECONNAISSANCE
23

24. GETTING TECHNICAL
24

25. 25
FINDING THE WEAKNESS

26. 26
BUYING OR BUILDING THE PAYLOAD

27. TARGETING THE VICTIM
27

28. ONE CLICK MIGHT BE ALL IT TAKES
28

29. WAIT, WHAT ABOUT COMPLIANCE?
29
COMPLIANCE != SECURITY
Compliance is often about passing a test.
Security is about risk mitigation and
operational defense.

30. WAIT, WHAT ABOUT CLOUD?
Lots of benefits of cloud adoption … we aren’t really here for that.

31. WAIT, WHAT ABOUT CLOUD?
31
Hackers want
this!

32. EVEN WITH OFFICE365 (OR GMAIL)?
32
Ç
Microsoft handles the underlying infrastructure,
including patching and updating, and handles
accessibility of the service.
You are responsible for what is emailed, who
accesses the email, and how they access the email.

33. SO WE MUST CONSIDER ACCESS
33
Ç
“stolen credentials...are easier, less risky, more productive.”
— Rob Joyce, Chief NSA Hacker (TAO), 2016
“Misuse of privileged credentials involved in 80% of data breaches”
— Forrester, 2016
Human Attack Surface Area is Increasing
(more credentials, more accounts)
Attackers Target Humans
— John Stewart, CISO, Cisco
“Hackers don’t break-in, they login.”

34. FIGHTING BACK

35. IS THERE ANY HOPE?
35
HIGH-LEVEL SUPPORT
Governments, Boards, and
Executives MUST show support
for better cyber defenses and
employee education.
COLLABORATION
We cannot individually fight such
overwhelming odds — we MUST
work together or we have no shot.
INNOVATION
There’s a lot of technological
improvements and open source
options — you MUST keep up
with new ways to defend your
environment.
ENTHUSIASM
If we don’t believe we can do it,
then we won’t make things better.
We must believe that we can
improve the status quo.

36. Continue to learn about cyber
threats, best practices, and how
you are at risk. Understand what
devices in your home or business
are potential attack vectors.
A lot of problems are because of
poor passwords or reused
passwords — get a password
manager and stop re-using
passwords!
The majority of attacks are as
simple as a phishing email or an
impersonation email that asks you
to do something. Be careful what
you chose to open, reply to, or sign
into.
HOW CAN I HELP?
36
HAVE AWARENESS
DON’T REUSE PASSWORDS
UPDATE YOUR SYSTEMS
USE CAUTION
Make sure your systems are set to
update their software, as routinely
there are security issues or other
risks identified and mitigated.

37. Spend time, money, and resources
on awareness, such as the current
risks the organization faces, best
practices, and what to do in
suspicious situations.
Share best practices, the attacks
being seen, lessons learned, and
share responsibility for improving
the safety of the internet.
Encourage users to do the right
thing by making it easier for new IT
systems, new accounts, and other
changes to follow standards and
be tied into centralized security
operations.
37
AWARENESS PROGRAMS
COOPERATION
CREATE STANDARDS
INCENTIVIZE GOOD PRACTICES
Create standards and stick to
them, such as having updated
systems, or keeping laptops,
servers, and policies consistent.
HOW CAN MY ORGANIZATION HELP?

38. Incorporate security into the
software-development-lifecycle and
devops so that systems are more
secure by design.
Reduce the access granted to
individuals, whether the number of
accounts or the privilege levels.
Tie together pieces of the tech
stack! Utilize software engineering
and APIs to automate, orchestrate,
analyze, and scale.
38
“SHIFT LEFT”
STOP PRIVILEGE CREEP
USE ANALYTICS
BUILD & ENGINEER
Analyze data and look for patterns
and trends in your environment.
Compare employee behavior
against previous and peer behavior.
GETTING MORE TECHNICAL

39. JOIN THE RESISTANCE!
39

40. THANK YOU!
@CHICAGOBEN
https://www.linkedin.com/in/benjaminjohnson80
bjohnson@obsidiansecurity.com