If you follow me on Twitter, you'e already seen my recap (I sent around 100 live tweets during sessions). You'll probably notice that I chose Blue Team talks wherever possible. I was tempted to go to more Red Team sessions since those were the hyped sessions, however I am Blue Team, so I chose to focus in on talks that can help me grow (boring I know).
This talk reminded me quite a bit of "InfoSec Rockstar" by @teddemop (if you haven't read it, you really should). It's refreshing to hear voices in tech take emotional intelligence, self awareness, and personal growth seriously. All of our peers have technical skills and "geek", what sets us apart are our soft skills.
"Emotional Intelligence is at least as important, if not more important than the [technical]" @poornaudupi #BsidesSF @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 15, 2018
Quite a bit of emphasis was made on getting organizational buy-in. One of the key ways mentioned was to "demonstrate presence in a way that the security team is part of every function". Don't just be the team in the corner that makes life more difficult for other teams, prove how you already are a value-add.
Another great talk that put an emphasis on proving InfoSec's worth to the organization. Rafae made great points about placing more importance on security awareness training, and prioritizing the right things. For example, it might be easy to succumb to the temptation to start red teaming early on, but what good is that if you already know that you don't have operational controls in place? There's no sense Red Teaming to discover something that you already know you aren't doing well.
Why red team if you don't have operational controls in place? - @privacyphd #BSidesSF @BsidesSF
— Home Brewed Security (@HomeBrewedSec) April 15, 2018
Definitely the most entertaining session. Worth it if even just to see @allanfriedman dressed as a game show host. The game show really highlighted some of our misonceptions around patching, and really encouraged us to :treat patching like the complex problem it is".
Excessive patch testing can take away resources from other critical security tasks @bitwatcher @jbanghart5 @allanfriedman @wendynather #BSidesSF #SoYouThinkYouCanPatch @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 15, 2018
"It's airgapped" is not a valid reason not to patch. #stuxnet @bitwatcher @jbanghart5 @allanfriedman @wendynather #BSidesSF #SoYouThinkYouCanPatch @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 15, 2018
After this talk, my new decision tree is "Can I see it? Can I throw it away? Can I make it more expensive [for attackers]?". He also turned the usual "users are stupid" on its head, encouraging us to make it safe to click everything. Why trust our users to be Security Administrators? That's our job.
Can I see it, can I throw it away, can I make it more expensive for attackers @SecTinkerer #BSidesSF #BlueTeamFundamentals @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 15, 2018
"Many people in our community say 'users are stupid, they will click on anything', let's make it safe to click" @SecTinkerer #BSidesSF #BlueTeamFundamentals @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 15, 2018
Wow. I am admittedly not a quant, but this made me want to be one (although it did make my head hurt). Cole went through how to use euclidian distance + logagirthms to assist with security assessments.
I immediately saw the possible applications of this approach. I want to try to use this technique to highlight anomalies in our baselining, to identify potential compromises and prevent them from entering our baseline.
There's a tools gap between static analysis and serious debugging #ColeThompson #WindowsSecurityAssessmentsAncientMath #BSidesSF @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 15, 2018
"If everything is urgent, nothing is urgent. How do we prioritize?". One potential answer was to use CVSS score and device risk rating to determine priority. Seems simple enough, why aren't more of us doing it?
I am going to attempt to aggregate CVSS score , device risk rating, remediation time, external facing/not to determine risk and priority using tools like vulnwhisperer and ELK.
Way too many take-aways to list them all here. One of the most itneresting things to me was contrasting the cultural landscapes of the US and EU in how it relates to Security. They discussed that the right to be forgotten / right to erasure wouldn't work because of the First Ammendment, and that GDPR in general is in contrast to our views on privacy. And there's this about Net Neutrality:
Good news: FCC's anti-net-neutrality leg is poorly written, extremely vulnerable, actively fought. Multiple states upholding #NetNeutrality at the state level @EFF #AsktheEFF #BSidesSF #BSidesSF2018 @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 16, 2018
Don't just listen to people that have different perspectives, amplify their voices @kledoux #BSidesSF #BSidesSF2018 @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 16, 2018
Connect your change requests to well defined problem statements @kledoux #BSidesSF #BSidesSF2018 @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 16, 2018
Heard about FIDO2, got a free Yubikey. That was cool.
#JerrodChong #SimpleOpenMobile #BSidesSF #BSidesSF2018 @BSidesSF pic.twitter.com/4xuHHLpG9Z
— Home Brewed Security (@HomeBrewedSec) April 16, 2018
I end up serving a sales role quite often. Even though this talk was focused on convincing internal departments the worth of cybersecurity, it applies to third parties as well. Great ideas proposed here, definitely things that I'll use on a regular basis.
Vendor security requests mean that our customers care about security, or want to make it look like they do #AriannaWillet #BSidesSF #BSidesSF2018 @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 16, 2018
Tons of great stastics in this one, without any of the FUD. Once again, heard the idea that it's "a bad idea to count on human to inspect every URL bar", and that we should be doing more to protect users.
Great Tip: Call your cell provider and ask them to put a port block on your number.
"The assumption that control of a phone number is sufficient for identification is false" @nealmueller #BSidesSF #BSidesSF2018 @BSidesSF
— Home Brewed Security (@HomeBrewedSec) April 16, 2018