New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
The cyber security hype cycle is upon us
1. It seems what we were saying about: Government snooping, side-channel attacks, data exfiltration,
corporate disclosure, poor product delivery, 3rd party vendor trust, security opt-out model, cloud, CEO
ignorance etc. was right.
2.
3. Is there a wave to be ridden or shall we keep
our heads down until the disruption passes?
4. ~15 years in the industry:
ADI still confusing
Advancement
13. ADI – Looking at History: Ploughing
• Progress measured by Scale and the power-scale ratio
• What’s actually important is not the nomenclature but what it stands
for:
• Removal of the human element and automation
14. Does the same apply to tech?
• Progress measured by reduction in Size and increase in Capacity
15. Greed is good
• Whether through
• Reduction of work force = increase in profits
• Reduction in size and increase in capacity (more information stored in less
space)
• More cores on a chip
• More data in a lake
• More bits down a pipe
• Bigger is Better!
16. Nice story… but
• You’re probably bored and this isn’t an academic treatise into definitions!
• And what on earth does does this have to do with surfing waves or hiding
in a bomb shelter and waiting for the debris to settle?
25. In fact; 1989 vs. 2016
(Mikko Hypponen Tweet from March 2016)
26. So things are the same?
• The plough has become the automated machine, categories are the same.
• What used to be this:
• Is now this:
• msf > use exploit/multi/java_rmi_server
• msf exploit(java_rmi_server) > set RHOST 192.168.2.7
• msf exploit(java_rmi_server) > exploit
• ……..
• Meterpreter > shell
Build/Simulate
Environment
Obtain
software
Install
software
Reverse
software
Create exploit Weaponize Deploy
27. Categories stay the same, scale changes, fall-out
more important (Wannacry, no cyberwar in Ukraine right ;)
28. Change of the game:
• Now the time to mention buzzwords
• IoT, Big Data, Data Lakes, AI, Machine Learning etc. and
29. Algorithms create algorithms- Google, google
and more google
• Google – crypto algorithm
• Alice and Bob communicating incognito blocking out Eve
• Deepmind
• AlphaGo, AlphaZero (Go and Chess)
• Google: Voice synth on par with humans
• Tacotron 2
Poof and magic: Accountability removed…
30. Backpropagation 1986:
One trick pony?
• The explosion of a singular idea:
• Deep-learning Nets or Backpropagation nets are:
“Neural nets can be thought of as trying to take things—images, words, recordings of
someone talking, medical data—and put them into what mathematicians call a high-
dimensional vector space, where the closeness or distance of the things reflects some
important feature of the actual world.” –Hinton
• The problem:
• “Neural nets are just thoughtless fuzzy pattern recognizers, and as useful as
fuzzy pattern recognizers can be—hence the rush to integrate them into just
about every kind of software—they represent, at best, a limited brand of
intelligence, one that is easily fooled”
31. The Others
• Cylance
• N/A
• Darktrace
• Bayesian learning
• PatternEX
• Supervised learning
• DARPA,
• Cyber Grand Challenge: AI at war: Mayhem wins
32. We are facing something new!
• It’s happening on the fringes, for most …
• But being integrated across the board meaning… ohh no the speed
limit is 45mph
33. My Predictions for the Enterprise 2018
• Privacy moves into a leading position: Security supports
Privacy Security
34. My Predictions for the Enterprise 2018
• Apple exploits gain more traction: root -> return, return, return
35. My Predictions for the Enterprise 2018
• Phishing, phishing and more phishing: Because it works
36. My Predictions for the Enterprise 2018
• More issues with Open Src stack
• Because you thought it was hard to maintain and patch “managed
software”, now you’re managing stuff created by non-professionals (for
a large part)
38. My Predictions for the Enterprise 2018
• DDoS – Doesn’t get enough press and is a fundamental problem: Mirai, Reaper
etc. Scale again!
39. My Predictions for the Enterprise 2018
• 3rd party vendor breaches: Let’s go in through the backdoor
• Queue: Target, Deloitte, Amazon, Equifax, DHS, etc. all organisations charged with
responsibly handling customer information.
• How secure are your partners really?
• They WILL lie to you….
40. My Predictions for the Enterprise 2018
• ML/AI or simply Stochastic modelling
• Model reliance will become more ubiquitous and explainable
AI will increase in complexity. Trust the machine
41. My Predictions for the Enterprise 2018
• Companies continue to struggle with SOC deployments, incident response,
log fatigue etc.
42. My Predictions for the Enterprise 2018
• Skills gap deteriorates further: Security Theatre continues
LinkedIn trolling
• Banking CISO: No formal education in IT
• Pharma CISO: No formal education in IT
• Manufacturing CISO: No formal education in
IT
• Energy CISO: No formal education in IT
• Chemical CISO: No formal education in IT
• Agriculture CISO: No formal education in IT
• University CISO: Degree in Engineering
• Government CISO: Degree in Computer
Science
• Technology CISO: Degree in Mathematics
43. Last thought(s)
• No one talks about the on-premise solution offerings anymore
• Have we forgotten how to build?
• Where are the CBA’s for this vs. cloud, in today’s situation?
• Pandora’s box has been opened, “there’s no going back, you’ve
changed things”
44. Vendor lock-in
• API’s, JSON calls and all other integration fudge = vendor lock in like we’ve
never seen before.
• CoreOS CEO Alex Polvi:
• “Lambda and serverless is one of the worst forms of proprietary lock-in that we've
ever seen in the history of humanity”
• “It's code that tied not just to hardware – which we've seen before – but to a data
center, you can't even get the hardware yourself. And that hardware is now custom
fabbed for the cloud providers with dark fiber that runs all around the world, just for
them. So literally the application you write will never get the performance or
responsiveness or the ability to be ported somewhere else without having the
deployment footprint of Amazon.“
45. Consumer rights
• Tech’s wild-west and lack of accountability
• Gov.uk:
• You can get help if you’re treated unfairly or when things go wrong. This includes:
• credit and store cards
• faulty goods
• counterfeit goods
• poor service
• problems with contracts
• problems with builders
• rogue traders
• IT never mentioned anywhere and it’s going to get worse!
46. Handling of CPU bugs disclosure 'incredibly
bad': OpenBSD’s Theo de Raadt
"It is a scandal, and I want repaired processors for free. I don't care if
they are 30% slower, as long as they work to spec. Intel has been
exceedingly clever to mix Meltdown (speculative loads) with a separate
issue (Spectre). This is pulling the wool over the public's eyes."
47.
48. BACKUP
Slides, for fun and reference
Covering the topics:
- ADI definition
- Predictions
- Threats
- Thoughts from Lyft CISO
49. Is this advancement, innovation or just
disruption?
• Are they the same?
• What is advancement (positive)
• What is disruption (negative)
• Each cause change
• But when should we react?
• Everything is ADI
50. Predications are always dangerous
Speed differentials
Enterprise, vs. small business vs. start-up
51. Enterprise 2018
• Not much will change
• Asset inventory will still be challenging
• AV, or NGAV will start to replace traditional AV, however more about re-
branding
• L1 SOC automation (PatternEX, Smart Algor’s, etc.) will start, but industry still
immature
• Data science and security staff skill shortage will still be an issue
• Automation will be pushed harder
• But real disruption around tech e.g. advanced data analytics, containerisation
scalability, software robotics, AI powered incident response, advanced end-
point protection, is likely not to happen outside specialised groups
52. Small business
• Lack of in-house skills will likely lead to slow adoption, security will
still be ‘bolted-on’ and not built in
• Migration of service providers to Cloud IaaS and SaaS, but these will
be packaged and re-sold. Small-businesses won’t actually feel the
change, until it goes wrong
53. Start-up’s
• Will pivot on new tech, because they need to ‘pretend’ they are
mature and through this they can show glitz and glamour e.g.
• Yeah we can scale to 1000+ endpoints as we leverage AWS Elastic compute
• You want pretty dashboards, of course we leverage Elastic Search and the ELK
stack
• Deploy anywhere and access at any time, of course we have an HTTP(S)
mgmt. dashboard hosted on Azure with seamless integration into your AD
• Use of AI and cutting edge ML – Of course, we run Tensor flow, out of the box
and scale it across our platform.
• Blah, blah, blah
56. Prediction: MIT’s takeaways
• More breaches: Equifax
• Thank you data consolidation, data lakes and the emergence of the data broker,
queue service providers
• Ransomware in the Cloud
• Did I mention: Lack of control? Maybe another Eternal Blue, Accidental leak?
• NotPetya (Eternal Blue), Wannacry (Eternal Blue), Cryptolocker (email attachment)
• Weaponisation of AI
• Cyber-physical attacks
• Mining Crypto currencies
• Hacking elections
57. Prediction: PWC
“2018 could be the year that the third leg of the information security
triad, integrity of data, really comes to the fore.
All organisations rely on the integrity of their data to function, from the
food supply chain, to the medical profession, to any company reporting
financial results. An attacker that can cause a question mark to appear
over the integrity of their target's data could potentially cause huge
damage.”
58. Prediction: Symantec
Symantec:
1. Blockchain Will Find Uses Outside Of Cryptocurrencies But Cyber criminals Will
Focus On Coins and Exchanges
2. Cyber criminals Will Use Artificial Intelligence (AI) & Machine Learning (ML) To
Conduct Attacks
3. Supply Chain Attacks Will Become Mainstream
4. File-less and File-light Malware Will Explode
5. Organisations Will Still Struggle With Security-as-a-Service (SaaS) Security
6. Organisations Will Still Struggle With Infrastructure-as-a-Service (IaaS) Security –
More Breaches Due to Error, Compromise & Design
7. Financial Trojans Will Still Account For More Losses Than Ransomware
8. Expensive Home Devices Will Be Held To Ransom
9. IoT Devices Will Be Hijacked and Used in DDoS Attacks
10. IoT Devices Will Provide Persistent Access to Home Networks
59. Threats are still easy: AV avoidance
Old days (signature):
• Byte change
• Polymorphic engines
• Dynamic programming techniques
Modern day (AI, behaviour-based and NGAV):
• Code obfuscation
• Alternative Data Streams
• In-memory
60. New threats
• Air-gap bridged (laser keyboard analysis)
• Marketing malware – marketing ads fight each other
• Quote for Joanna Rutkowska “Don’t be deluded that a single user
system is a non-shared computer… Modern computers execute so
much 3rd-party code & parse so much untrusted input, that we must
assume they are ‘shared’” 06.01.18
61. Lyft CISO: Mike Johnson
I'm not interested in the top Security stories or top trends of 2017. I was there. I am more
interested in what flew under the radar or what got too much coverage.
My offerings:
• Threat intelligence as a product is oversold and there are way too many companies in
this space
• We don’t have an officially appointed US Federal CISO (Grant Schneider is “acting”)
• Your AI product is not intelligent
• We are working on bringing in more diverse candidates in our entry level jobs, but not
doing enough for our more experienced professionals from diverse backgrounds
• Phishing your employees and then forcing anyone who clicks a link to sit through a half
hour video is not raising security awareness - it's just making your employees resent you