When you think of Milwaukee, you might think of squeaky cheese curds, polka music, and the Bronze Fonz. But now I will always associate this city on the lake with cybersecurity, thanks to Cyphercon 6, which was held on March 30 and 31, 2023. This year there were nearly 1500 participants, making it the largest security or technology conference in Wisconsin.
Cyphercon is a 'hacker conference' much like Schmoocon or DEFCON. While there are sessions, the event also focuses on villages and capture-the-flag competitions. Unique among conferences I have attended, the first day started after lunch and ran until 10:30pm, when the networking after-party officially started.
There was so much knowledge shared by all the enthusiastic participants that it would be impossible to try and cover it all. Here are just a few highlights from the two-day event.
The Importance Of Security Training
Throughout almost every session, the speakers touched on the importance of training. According to some studies, 88% of all breaches are the result of human error; getting your team trained is not an option. Multiple presenters made the point that we can't just 'blame the user,' who might have only had a 5-minute overview during their orientation when they were brand new.
While ideally, you could get the executive team or non-technical staff to go to an event like Cyphercon to get some deeper exposure to cybersecurity; realistically, we need to come up with ways of making training more engaging and impactful.
In his talk "Executives: Overcoming the CyberSecurity Poverty Line," Robert Wagner said he sees teams and executives making the same mistakes over and over. He cited the fact that 45% of employees receive no security training at all from their employer. Training must become an essential part of risk management strategy.
Beyond just providing minimal training, organizations need to embrace a culture of learning, meaning ideally, team members should be continually learning and teaching each other new skills. Management should see training as an ongoing process and not just a box to check. He said great managers know if they can make learning fun and supportive, then they can create armies of security experts. The exact right balance is to "train them so well they could leave for another position but treat them so well that they want to stay!"
Another mistake is using security training as a punishment. Negative reinforcement will drive people to hide their behavior or, worse yet, breed resentment among coworkers who they fear might turn them in. We need to create a healthy security culture where it is clear that it is OK to ask for help and where everyone feels valued as a member of the security team, no matter what their title. He suggests combining security training with contests to see who can spot the most threats. Another example was to incentivize and celebrate people for sharing screenshots of phishing attempts.
If you need some ideas for building a training program, Robert shared some free cybersecurity basics training that you can use with your team.
- Amazon's Cybersecurity Awareness Training - They use this same course internally at Amazon.
- Google's Improve Your Online Business Security
- EdApp Free Cybersecurity Training - A mobile-based training series.
The name of Robert's session comes from Wendy Nather's research, where she defined the Cybersecurity Poverty Line as the threshold that divides all organizations into two distinct categories: those that are able to implement essential measures well and those that are unable.
While folks in the cybersecurity world tend to focus on technical threats, including the software supply chain and malicious actors finding our credentials and installing ransomware, the majority of breaches involve a human being clicking on something they should not in an email. Teaching employees what to look for is a great step towards a more secure enterprise.
In his talk "You’ve Got Mail (and Misdirected Funds): A Demo of Business Email Compromise," Drew Hjelm walked us through a Business Email Compromise, BEC. It started with a user clicking on a suspicious email link, asking them to review a PDF. Instead of logging into the real site, they add their credentials, including MFA token, to the very real-looking phishing site.
The attacker then had access to the session token, which was then used to get access to the victim's Microsoft365 account. Once inside, the attacker finds a recent unpaid invoice, copies the format, and emails the victim an 'updated' invoice and implements some rules to make sure the bad emails are not flagged as junk and the legitimate emails from the original invoice are never seen.
While this is an all too common scenario, Drew said BEC incidents extend beyond the email inbox. He noted that Electron, which is the tech behind Slack, Teams, and Discord, can just as easily be compromised if an attacker finds the right URL containing an access token, similar attacks can be executed.
While education on how to spot a phishing attempt and what not to click on is a needed step toward better security, organizations also need to have some protections in place. Implementing conditional access, looking for things like unexpected IP addresses, or setting up domain impersonation protection rules can make it harder for attackers to succeed. Monitoring for suspicious activity, such as mail rule changes, can also help prevent BEC from succeeding.
Drew's points were reinforced by Joe Cicero in his talk "Dragons Can Fly." The name comes from the fact you can build fortified strongholds that can guard against armies of invaders, but dragons can just fly over our walls. In the real world, internal actors invite threats in, over the walls, by falling for phishing scams: the number one way ransomware ends up in systems.
Joe went on to say that training must be a continual process, even if it is highly effective. Even if the training content is excellent, the employee base for any organization will not be stable. Using some basic back-of-envelope math, he showed that a company with 5000 employees, who experience a turnover of 0.5% a month, means they are losing around 300 people per year. Those people will most likely be replaced, plus any hiring for growth the company does can mean many hundreds of new people to train every year.
To make training even more of a challenge, we need to deal with the constantly evolving threat landscape. The main 'new' issue he brought up that he is facing in his company was 'domain rental.' One of the ways to check if a website is legitimate is to see how long the domain has existed. Very new sites are less trustworthy, and you can filter for this across your networks. But did you know that for a few hundred dollars per month, you can rent existing domains that are years old and already categorized as 'safe' by most tools and launch attacks from there? This makes it much harder to prevent employees from seeing or clicking on suspicious links.
The best way to be safe is to turn your whole team into what Robert Wagner described as 'carbon-based intrusion detection systems' through empowering security training.
Understanding Your Organization's Threat Model
In his session "What I learned about hacking and security from working at Hollywood Video." Ben Schmerler shared how to map out a threat model, no matter where you work. He also told some amusing stories about his time at the now-defunct video rental store chain, including being forced to work in a tuxedo vest and black tie even if the air conditioning broke down and how much rainwater those overnight return boxes could hold.
A basic threat model includes 3 main elements, though different models might use different language:
- Protection/security tools
In his Hollywood Video model, assets included the VHS tapes they would rent, video game cartridges, candy, and snacks, as well as the cash and POS system. He made a point to call out that people should be counted as assets here, as they are definitely worth protecting. Remember to include 'your most valuable assets' when making our threat model. In general, when building your list of assets, the items you include should be important for your business to function from day to day.
While working at the video store, Ben identified two main groups of threats - external and internal.
While there were people who did commit shoplifting, one of the largest external threats came from customers not returning tapes but claiming they had. There was no real recourse in most situations, so the assets just vanished. Damage to tapes and video game cartridges was another major concern.
The internal threats were much more complex and nuanced. For example, at the end of work shifts, it was common for managers to tell employees to take some ice cream or snacks without accounting for them, while at the same time, each store was responsible for accurate inventory counts. The lack of following internal policies resulted in asset loss, which makes it a threat. Another example would be employees taking home 'broken' games to test, and then those games were never returned.
When creating your own threat list, it is important to consider all potential ways your assets can be lost or compromised. Don't just focus on malicious threat actors; account for internal oversight as well.
Security Tools And Constraints
At the video store, his security tools included things like the membership card for proper authentication and authorization. He also included door locks and anti-theft devices for the physical security of the building, as well as the management team itself, which is responsible for employee safety.
Your security tools might involve everything from single sign-on solutions like Okta for better access control, to Windows Defender to stop common threats, to secrets detection alerts from platforms like GitGuardian. While not every employee needs to know about every tool, it is important to understand what security tools they will interact with are protecting what assets.
Part of understanding your security tools is measuring the effectiveness of each in a real-world situation. In Ben's talk, he cited there were alarms that would go off if someone shoplifted a tape, but for employee safety, they never chased the culprits, effectively making the security tool worthless. Managers overrode inventory controls when they told employees to take free ice cream, thereby bypassing the tool that was meant to protect that very asset.
No matter what tools you have in place, they will only do any good if tested properly. You need human eyes to ensure your model is protecting your assets and consideration for real-world scenarios. If you know, for example, that some developers bypass git hooks on a regular basis, then you need to account for that in your testing scenarios.
If you need a little inspiration for your own threat modeling, Ben suggests the Bruce Wayne/Batman threat model.
Telling Your Security Story
One of the biggest challenges security teams face is communicating risks; this is especially true when dealing with non-technical team members or executives who are not too familiar with cybersecurity. Multiple speakers called for us to do a better job distinguishing between threats and risks.
In his talk, "Your Board Deck Sucks!: Why you can’t get buy-in for your security program," Walt Powell called out the difference between risk and threats as:
- Risks are what you are trying to mitigate or reduce. Risks ultimately have a cost associated, as in how much will lose in a scenario.
- Threats are vulnerabilities and the potential for malicious actors to cause issues.
Another way to think about risk is probability multiplied by the scope of the impact, 'risk = probability X impact.' The board of directors does not really want to know about your threat horizon or what new Zero Day might be exploited; they want to know what kind of exposure they currently have to lose revenue and how proper investment can reduce or prevent that risk.
The rest of his excellent session focused on leveraging the art of storytelling when presenting to your board of directors. With the limited time you have, you need to educate, inform, update, and instill confidence that you are on the right track to protect the shareholder's investments. The harder something is to define, that tends to be the harder to sell, so do not bog down in technical jargon and data points. You need to speak in their language, and their language involves risks and real dollar amounts.
Another point Walt brought up was that storytelling with data should involve beautiful visuals.
This point was driven home by Jeremy Bauer in his talk "Don’t take me seriously: Lessons on translating cyber risks into business risks." We tend to rely on 4x4 matrices of red, yellow, and green boxes to show risks and where we grade ourselves. In his opinion, this is basically useless and invites the wrong questions.
He defined the executive team as people paid to take risks and the board of directors as people paid to monitor the risks they take. In both cases, people need to quickly assess what is working and what needs improvement without reading dozens of bullet points. Jeremy stressed, "It is your job as a security expert to provide appropriate analysis, using measurements that can be compared, in a context your audience will understand."
Jeremy also said we live in a world of miscommunication between teams. His example was that the executive team wanted "no risk" solutions, and the security team delivered 'Zero Trust.'
He said it is OK to be basic when presenting big ideas. Also, be wary of presenting everything as 'high risk,' this creates mistrust.
Looking For Secrets
Of course, no cybersecurity event would be complete without some discussion of hardcoded credentials, a subject of notable interest around here. In his session "Needle in the Hay: A Guide to Discovering Plaintext Credentials in Enterprise Environments' Ben Burkhart discussed what tools and approaches he used as a security researcher to find these highly prized assets.
The first tool he relies on is Snaffler, a simple `.exe` file that will find the proverbial needle of secrets in the haystack of a networked environment. He said the pros and the cons of the tool both include the amount of output he would see, but it is a great starting point to find common passwords stored throughout network file servers.
He also said he takes note of any upload folders, especially if they contain internal PDFs. He said it is far too common to find real DB credentials inside excel spreadsheets, as the creator would need the credential to execute a lookup. He also noted that he is always alarmed at how many people store passwords in the 'notes' field in systems like Sharepoint or ActiveDirectory itself. Homegrown applications almost always contain secrets in source code and configuration files, which makes sense considering our research on the issue.
While we typically think API Keys and DB connection URLS when we think of secrets, Ben highlighted that credentials end up in a lot of other places as well. While he thinks fixing this issue is hard, if people consistently use the right tools to manage secrets, then this is an addressable situation. That is exactly what Andy Jaw addressed in his talk "A World Without Passwords"
He started his session by explaining the issues with long-lived passwords and how solutions like MFA fall short. While his presentation focused on Hello for Business, which he helps work on in his day-to-day duties at Microsoft, Andy laid out some very good general advice for rolling out any passwordless system that relies on FIDO, the Fast Identity Online specification. FIDO solutions use possession-based credentialing, most commonly a hardware token or a combination of biometrics and a PIN.
No matter what technology you implement, Jay suggested taking a 4 stage approach as they did inside his department.
- Deploy your password-replacement offering - Make it available and provide an easy onboarding path
- Reduce user-visible passwords - For any new systems that come online, your FIDO solution should be the default.
- Transition to passwordless deployment - This will take time. Focus on the most vulnerable systems first.
- Eliminate passwords from your Identity Directory - This is the final goal; recognize this is a journey and that some passwords will likely still need to exist.
One common misunderstanding he hears from teams is that a "PIN is just another password." PINs are typically device-specific and are not typically sent over the network. The analogy he used was the difference between having your Google account credentials stolen versus your smartphone PIN leaked. Anyone with your Google account can log in as you from anywhere. But if someone knows your phone PIN, they also would need to have physical access to your phone to use it.
A Security Community Experience
Cyphercon 6 offered a lot of sessions, workshops, villages, and fun. Much more than I can write about here. The biggest takeaway from the event is that the security community really does care about keeping us all safe. No matter if that takes the form of students participating in a Capture the Flag event to learn about red teaming or if it takes the form of people presenting sessions on vulnerabilities in their field of expertise, this is a community of lifelong learners who are eager to share what they know. If you have never been to a 'hacker security conference' before, then I would strongly encourage it, and you won't have to wait until next Cyphercon. The organizers ended the event by announcing they will also be putting together Secretcon happening November 2-3, 2023, in Minneapolis.