1
00:00:05,509 --> 00:00:12,719
good afternoon everyone welcome to NOLA
2
00:00:08,820 --> 00:00:15,450
con and Mike thank you for coming for my
3
00:00:12,719 --> 00:00:19,109
talk I appreciate know Lacan for having
4
00:00:15,450 --> 00:00:22,799
me down here to speak let me jump right
5
00:00:19,109 --> 00:00:26,070
in want to start with giving a survey
6
00:00:22,800 --> 00:00:29,130
I know it's first first talk we're just
7
00:00:26,070 --> 00:00:31,140
getting started but I want some audience
8
00:00:29,130 --> 00:00:32,729
participation here because the intention
9
00:00:31,140 --> 00:00:35,430
of this talk is really to start a
10
00:00:32,729 --> 00:00:37,559
conversation so when you hear the
11
00:00:35,430 --> 00:00:42,450
question does DoD security work in the
12
00:00:37,559 --> 00:00:48,839
real world how many people say yes one
13
00:00:42,450 --> 00:00:50,430
to look you how many people say no good
14
00:00:48,840 --> 00:00:53,730
bring a couple brave souls
15
00:00:50,430 --> 00:00:55,199
I like discussion and lively debate how
16
00:00:53,730 --> 00:01:00,239
many people just want to wait and hear
17
00:00:55,199 --> 00:01:01,769
what I have to say about and how many of
18
00:01:00,239 --> 00:01:06,408
us just want to be somewhere else right
19
00:01:01,770 --> 00:01:06,409
now all right
20
00:01:07,820 --> 00:01:14,820
the reason this question came about let
21
00:01:11,490 --> 00:01:19,048
me start with that for about 10 years I
22
00:01:14,820 --> 00:01:21,960
was in the PTI world as AK USA and I had
23
00:01:19,049 --> 00:01:25,860
a customer probably it's probably been
24
00:01:21,960 --> 00:01:28,350
almost late where should I not be that's
25
00:01:25,860 --> 00:01:32,970
good okay I am now limited to where I
26
00:01:28,350 --> 00:01:42,298
can play hey no I think I should be up
27
00:01:32,970 --> 00:01:45,979
this one is that the other room all
28
00:01:42,299 --> 00:01:50,579
right yeah
29
00:01:45,979 --> 00:01:52,950
i'ma stand right here I had a customer
30
00:01:50,579 --> 00:01:54,809
probably been almost 10 years ago we
31
00:01:52,950 --> 00:02:00,240
were having a discussion one afternoon
32
00:01:54,810 --> 00:02:02,430
about encryption the requirement in the
33
00:02:00,240 --> 00:02:04,229
PCI data security standard that says if
34
00:02:02,430 --> 00:02:07,110
you have data at rest you need to
35
00:02:04,229 --> 00:02:09,030
protect it in some way and this was a
36
00:02:07,110 --> 00:02:11,370
major retailer you've heard of them he's
37
00:02:09,030 --> 00:02:13,020
probably shopped there they actually
38
00:02:11,370 --> 00:02:16,530
were one of the companies that had been
39
00:02:13,020 --> 00:02:20,730
a victim of a major breach back in the
40
00:02:16,530 --> 00:02:22,410
late 2000s and being a retailer and
41
00:02:20,730 --> 00:02:24,929
being only recently connected to the
42
00:02:22,410 --> 00:02:26,579
Internet relatively recently they didn't
43
00:02:24,930 --> 00:02:28,050
have a whole lot of security expertise
44
00:02:26,580 --> 00:02:30,060
as you might imagine they didn't have a
45
00:02:28,050 --> 00:02:31,350
lot of institutional knowledge so we
46
00:02:30,060 --> 00:02:32,910
spent the better part of an afternoon
47
00:02:31,350 --> 00:02:35,820
just kind of going through this
48
00:02:32,910 --> 00:02:38,220
requirement and I was kind of explaining
49
00:02:35,820 --> 00:02:40,109
to him what it all meant and you know
50
00:02:38,220 --> 00:02:44,730
what it meant to do encryption and all
51
00:02:40,110 --> 00:02:47,130
the other different options and at some
52
00:02:44,730 --> 00:02:50,310
point in the discussion the person that
53
00:02:47,130 --> 00:02:52,440
I was speaking to said to me yeah but we
54
00:02:50,310 --> 00:02:55,290
don't need DoD level security because we
55
00:02:52,440 --> 00:02:58,620
just sell women's clothing whatever it
56
00:02:55,290 --> 00:03:02,070
was and that really has stuck with me
57
00:02:58,620 --> 00:03:03,930
for most of the last 10 years because it
58
00:03:02,070 --> 00:03:06,390
always kind of bothered me that this
59
00:03:03,930 --> 00:03:10,080
person just kind of casually cast off
60
00:03:06,390 --> 00:03:12,390
all this useful institutional knowledge
61
00:03:10,080 --> 00:03:14,730
that I had about cryptography and
62
00:03:12,390 --> 00:03:17,910
encryption and just kind of dismissed it
63
00:03:14,730 --> 00:03:21,869
as yeah but we don't need DoD level
64
00:03:17,910 --> 00:03:23,850
security anyway my name is Jeff man I'm
65
00:03:21,870 --> 00:03:25,440
a co-host on security weekly if I look
66
00:03:23,850 --> 00:03:29,340
familiar to some of you if any of you
67
00:03:25,440 --> 00:03:31,260
watch security weekly I have done a few
68
00:03:29,340 --> 00:03:33,120
things in my life I am considered a
69
00:03:31,260 --> 00:03:37,679
curmudgeon at this point I've been doing
70
00:03:33,120 --> 00:03:40,320
this for about 35 years I got my start
71
00:03:37,680 --> 00:03:42,480
at NSA quite well you're about to learn
72
00:03:40,320 --> 00:03:45,239
I didn't get my start at NSA but the
73
00:03:42,480 --> 00:03:46,859
bulk of my DoD career was at NSA while I
74
00:03:45,240 --> 00:03:48,360
was there I was a cryptologist which is
75
00:03:46,860 --> 00:03:51,930
why I had fun spending an afternoon
76
00:03:48,360 --> 00:03:54,120
talking about encryption and got out
77
00:03:51,930 --> 00:03:56,370
about 20 years ago and I've been
78
00:03:54,120 --> 00:03:58,320
consultant in the private sector ever
79
00:03:56,370 --> 00:04:01,050
since started out as a pen tester doing
80
00:03:58,320 --> 00:04:04,500
red teaming moved into a few other
81
00:04:01,050 --> 00:04:07,830
things ended up doing TCI I called PCI
82
00:04:04,500 --> 00:04:10,020
purgatory for about 10 years and the
83
00:04:07,830 --> 00:04:12,690
last couple of years I was working for a
84
00:04:10,020 --> 00:04:14,370
software vendor they brought me on as a
85
00:04:12,690 --> 00:04:16,469
subject matter expert and they say go
86
00:04:14,370 --> 00:04:18,358
out and start speaking accomplices you
87
00:04:16,470 --> 00:04:20,730
know you're an old guy you knew a lot to
88
00:04:18,358 --> 00:04:24,770
start teaching people and talking people
89
00:04:20,730 --> 00:04:24,770
which is largely why I'm here
90
00:04:26,100 --> 00:04:30,240
just a little you know 15 minutes of
91
00:04:28,290 --> 00:04:32,130
fame thing has anybody heard of this
92
00:04:30,240 --> 00:04:35,130
book it came out last year called dark
93
00:04:32,130 --> 00:04:36,570
territory it's not it's available on
94
00:04:35,130 --> 00:04:40,440
Amazon you can look it up and download
95
00:04:36,570 --> 00:04:42,240
it now in this book that in the fourth
96
00:04:40,440 --> 00:04:43,920
chapter which is titled eligible
97
00:04:42,240 --> 00:04:46,680
receivers anybody know what eligible
98
00:04:43,920 --> 00:04:47,820
receiver is or was you should go read
99
00:04:46,680 --> 00:04:50,580
the book we'll find out
100
00:04:47,820 --> 00:04:53,460
but in that chapter titled eligible
101
00:04:50,580 --> 00:04:56,010
receiver there's a paragraph that says
102
00:04:53,460 --> 00:04:57,570
the NSA had a similar group called the
103
00:04:56,010 --> 00:05:00,990
red team it was part of the information
104
00:04:57,570 --> 00:05:03,540
assurance Directorate blah
105
00:05:00,990 --> 00:05:06,030
it was the defensive side of NSA it was
106
00:05:03,540 --> 00:05:08,700
stationed at panics up near Friendship
107
00:05:06,030 --> 00:05:12,929
Airport which for modern-day people was
108
00:05:08,700 --> 00:05:15,240
BWI during its most sensitive drills the
109
00:05:12,930 --> 00:05:18,540
red team worked out of a chamber called
110
00:05:15,240 --> 00:05:21,390
the pit which was so secret I have to do
111
00:05:18,540 --> 00:05:23,700
this dramatically that few people at NSA
112
00:05:21,390 --> 00:05:25,380
knew it even existed and even they
113
00:05:23,700 --> 00:05:27,960
couldn't enter without first passing
114
00:05:25,380 --> 00:05:31,080
through to combination lock doors not
115
00:05:27,960 --> 00:05:33,000
one that to you well I'm here to tell
116
00:05:31,080 --> 00:05:35,849
you I was actually a member of the pit
117
00:05:33,000 --> 00:05:40,110
the original first red team at NSA and
118
00:05:35,850 --> 00:05:42,090
the pit was our all's it did have a door
119
00:05:40,110 --> 00:05:43,770
that we had cubicles and desks and it
120
00:05:42,090 --> 00:05:46,109
was just a government office but somehow
121
00:05:43,770 --> 00:05:48,599
we've morphed into this legendary thing
122
00:05:46,110 --> 00:05:51,240
called the pit so for what it's worth
123
00:05:48,600 --> 00:05:56,580
you now can say you've met somebody from
124
00:05:51,240 --> 00:05:58,830
the pit this is actual aerial footage
125
00:05:56,580 --> 00:06:00,930
outside of friendship Airport otherwise
126
00:05:58,830 --> 00:06:02,820
known as BWI and that building right
127
00:06:00,930 --> 00:06:05,310
there that corner that's where our
128
00:06:02,820 --> 00:06:08,280
office was that's where the pit was it
129
00:06:05,310 --> 00:06:13,850
was really did exist it was an office
130
00:06:08,280 --> 00:06:16,020
cubicle I shattered to death anyway I
131
00:06:13,850 --> 00:06:17,520
share that a little bit to give you a
132
00:06:16,020 --> 00:06:20,120
little bit of my background but also I
133
00:06:17,520 --> 00:06:23,549
do want to say one of my early mentors
134
00:06:20,120 --> 00:06:25,230
at NSA was this woman named Becky bass
135
00:06:23,550 --> 00:06:27,780
if you've never heard of her
136
00:06:25,230 --> 00:06:30,180
I encourage you to look her up she
137
00:06:27,780 --> 00:06:34,080
actually just passed away back in March
138
00:06:30,180 --> 00:06:36,780
rather suddenly her website infidel net
139
00:06:34,080 --> 00:06:38,529
if you look that up it sort of become a
140
00:06:36,780 --> 00:06:40,568
tribute site or the
141
00:06:38,529 --> 00:06:43,839
people are putting up remembrances of
142
00:06:40,569 --> 00:06:45,909
her there's actually a link I think
143
00:06:43,839 --> 00:06:47,169
that's going there to an oral history
144
00:06:45,909 --> 00:06:49,808
that was done
145
00:06:47,169 --> 00:06:51,609
somebody interviewed her if you want to
146
00:06:49,809 --> 00:06:53,349
get a really good glimpse of info Sikh
147
00:06:51,609 --> 00:06:56,409
history am i blocking you completely
148
00:06:53,349 --> 00:06:58,449
what I was seeing here sorry
149
00:06:56,409 --> 00:07:02,379
I'll try to give you glimpses agree on
150
00:06:58,449 --> 00:07:05,499
one really good history of InfoSec over
151
00:07:02,379 --> 00:07:09,609
the last 25 30 years a lot of
152
00:07:05,499 --> 00:07:11,309
involvement she was a mentor to many out
153
00:07:09,609 --> 00:07:14,739
in the private sector especially
154
00:07:11,309 --> 00:07:19,239
bringing women into InfoSec into the
155
00:07:14,739 --> 00:07:21,008
technology community so probably for the
156
00:07:19,239 --> 00:07:23,138
next year or so or at least the rest of
157
00:07:21,009 --> 00:07:26,979
this year my talks are dedicated to her
158
00:07:23,139 --> 00:07:29,649
we called her mom or info mom and she's
159
00:07:26,979 --> 00:07:31,959
a one of the unsung nothing that's not
160
00:07:29,649 --> 00:07:37,059
necessarily well known outside of the DC
161
00:07:31,959 --> 00:07:41,259
Maryland area heroes of the impetus so
162
00:07:37,059 --> 00:07:46,119
this is this talks for you Becky so my
163
00:07:41,259 --> 00:07:48,339
career really started back in 1984 and
164
00:07:46,119 --> 00:07:51,549
it didn't start at NSA I actually got a
165
00:07:48,339 --> 00:07:53,559
job as a summer intern at a research
166
00:07:51,549 --> 00:07:56,469
facility that at the time was called the
167
00:07:53,559 --> 00:07:59,409
Naval Surface weapons center and this
168
00:07:56,469 --> 00:08:04,179
was in white oak Maryland so I'm from
169
00:07:59,409 --> 00:08:05,709
Maryland and my job was for the summer I
170
00:08:04,179 --> 00:08:08,679
was hired by this guy that was a
171
00:08:05,709 --> 00:08:12,609
physicist that did any submarine warfare
172
00:08:08,679 --> 00:08:14,828
research and he had gotten ahold of some
173
00:08:12,609 --> 00:08:16,599
money and was able to buy this kind of
174
00:08:14,829 --> 00:08:19,869
newfangled thing called a desktop
175
00:08:16,599 --> 00:08:21,639
computer and he bought some early
176
00:08:19,869 --> 00:08:23,829
database software I want to say it was
177
00:08:21,639 --> 00:08:26,499
debased too if any old-timers out there
178
00:08:23,829 --> 00:08:28,329
remembered eBay's - and my job was
179
00:08:26,499 --> 00:08:32,189
basically to go through this filing
180
00:08:28,329 --> 00:08:36,039
cabinet that he had been collecting
181
00:08:32,188 --> 00:08:38,379
research material probably over the span
182
00:08:36,039 --> 00:08:40,479
of about 25 years most of his career
183
00:08:38,379 --> 00:08:43,089
that he had just piled into this safe
184
00:08:40,479 --> 00:08:46,059
this locking cabinet and he wanted me to
185
00:08:43,089 --> 00:08:48,429
build a relational database where he
186
00:08:46,059 --> 00:08:49,959
could start to capture some of the you
187
00:08:48,429 --> 00:08:50,630
know the details that are in all the
188
00:08:49,959 --> 00:08:53,329
different
189
00:08:50,630 --> 00:08:55,640
girls he had and put it in a searchable
190
00:08:53,330 --> 00:09:00,410
database I got the you know sort of my
191
00:08:55,640 --> 00:09:04,430
first exposure to a personal computer
192
00:09:00,410 --> 00:09:06,260
first exposure to database funny story
193
00:09:04,430 --> 00:09:08,000
my first week on the job he was trying
194
00:09:06,260 --> 00:09:10,100
to explain to me what an e submarine
195
00:09:08,000 --> 00:09:11,780
warfare was so he handed me this book
196
00:09:10,100 --> 00:09:13,340
and said you know this this book just
197
00:09:11,780 --> 00:09:15,050
came out recently and it kind of
198
00:09:13,340 --> 00:09:17,450
explains what we do as well as I could
199
00:09:15,050 --> 00:09:19,790
so read it so I was just you know
200
00:09:17,450 --> 00:09:21,380
college students summer intern working
201
00:09:19,790 --> 00:09:22,640
for the government and the first week I
202
00:09:21,380 --> 00:09:29,240
got to read a book I thought that was
203
00:09:22,640 --> 00:09:31,699
really cool so unless you guys can see
204
00:09:29,240 --> 00:09:33,770
it I might have to read it to you for so
205
00:09:31,700 --> 00:09:36,080
where this story starts is one morning
206
00:09:33,770 --> 00:09:39,050
my first exposure to security really is
207
00:09:36,080 --> 00:09:41,690
I walked in I opened up this cabinet and
208
00:09:39,050 --> 00:09:43,969
inside the drawer there was this pink
209
00:09:41,690 --> 00:09:46,100
slip that said please come to the
210
00:09:43,970 --> 00:09:48,020
Security office so I went to the
211
00:09:46,100 --> 00:09:50,210
Security office and it turns out that I
212
00:09:48,020 --> 00:09:53,300
had actually accidentally left the safe
213
00:09:50,210 --> 00:09:56,690
unlocked the night before and I was
214
00:09:53,300 --> 00:09:58,609
called I was busted and yeah I was a
215
00:09:56,690 --> 00:10:00,380
young college kid and I thought well
216
00:09:58,610 --> 00:10:02,390
what's the big deal you know we're you
217
00:10:00,380 --> 00:10:05,710
know this is the 80s we're not at war
218
00:10:02,390 --> 00:10:10,640
you know we're not actively fighting any
219
00:10:05,710 --> 00:10:13,370
submarine warfare anywhere and you know
220
00:10:10,640 --> 00:10:15,530
I'm at this facility that's got a fence
221
00:10:13,370 --> 00:10:19,040
around it so nobody can just walk into
222
00:10:15,530 --> 00:10:21,310
the campus there's there's a control at
223
00:10:19,040 --> 00:10:23,329
the front desk where you have to go past
224
00:10:21,310 --> 00:10:25,699
turnstiles you have to go through
225
00:10:23,330 --> 00:10:27,320
security to get into the building I'm in
226
00:10:25,700 --> 00:10:30,800
an office that's locked it's locked
227
00:10:27,320 --> 00:10:33,770
overnight and there's guards to patrol
228
00:10:30,800 --> 00:10:37,030
the the facility so what's the big deal
229
00:10:33,770 --> 00:10:40,699
you know so I left the safe unlocked
230
00:10:37,030 --> 00:10:42,920
that was my attitude then and just keep
231
00:10:40,700 --> 00:10:43,610
that in the back your mind will bring
232
00:10:42,920 --> 00:10:49,579
that up again
233
00:10:43,610 --> 00:10:51,680
in a little while so a little bit of
234
00:10:49,580 --> 00:10:54,080
background a little bit of a preamble to
235
00:10:51,680 --> 00:10:56,150
what I want to try to convey today in
236
00:10:54,080 --> 00:10:59,240
terms of just DoD security work in the
237
00:10:56,150 --> 00:11:01,189
real world and again I intend this to be
238
00:10:59,240 --> 00:11:03,290
a discussion starter I'm not here trying
239
00:11:01,190 --> 00:11:04,279
to say I have the absolute and final
240
00:11:03,290 --> 00:11:08,810
appeal
241
00:11:04,279 --> 00:11:11,749
in on all things related to InfoSec but
242
00:11:08,810 --> 00:11:13,219
if you're like me and you look at the
243
00:11:11,749 --> 00:11:17,449
what's going on in the world today in
244
00:11:13,220 --> 00:11:21,290
terms of security simply depress does it
245
00:11:17,449 --> 00:11:21,649
seem like we're losing I get depressed a
246
00:11:21,290 --> 00:11:24,050
lot
247
00:11:21,649 --> 00:11:27,769
I'm not clinically depressed but I get
248
00:11:24,050 --> 00:11:29,149
irritated that I've got 35 years of
249
00:11:27,769 --> 00:11:31,970
experience and I try to teach people
250
00:11:29,149 --> 00:11:35,269
about security and we somehow as a
251
00:11:31,970 --> 00:11:37,220
community and as an industry don't seem
252
00:11:35,269 --> 00:11:38,689
to be advancing things sometimes we
253
00:11:37,220 --> 00:11:41,360
don't seem to be helping sometimes
254
00:11:38,689 --> 00:11:44,269
because time and time again companies
255
00:11:41,360 --> 00:11:49,009
are being confronted with issues and
256
00:11:44,269 --> 00:11:52,100
breaches and problems so what I wanted
257
00:11:49,009 --> 00:11:54,170
to do was and so having this no we don't
258
00:11:52,100 --> 00:11:55,819
need DoD level security in the back of
259
00:11:54,170 --> 00:11:58,248
my mind from this person that told me
260
00:11:55,819 --> 00:12:00,199
this eight or nine years ago I wanted to
261
00:11:58,249 --> 00:12:01,819
put together some thoughts and share it
262
00:12:00,199 --> 00:12:06,559
with you guys again as a discussion
263
00:12:01,819 --> 00:12:08,059
starter my first thought is in my
264
00:12:06,559 --> 00:12:10,370
experience when I start talking to
265
00:12:08,059 --> 00:12:11,569
people about DoD level security I think
266
00:12:10,370 --> 00:12:13,160
a lot of people have the opinion
267
00:12:11,569 --> 00:12:16,250
especially if you haven't worked for the
268
00:12:13,160 --> 00:12:18,980
DoD but it's some ultra high super
269
00:12:16,250 --> 00:12:21,559
secret super secure lots of Technology
270
00:12:18,980 --> 00:12:25,550
lots of costs and expense it's this nth
271
00:12:21,559 --> 00:12:29,059
degree of security I also like to throw
272
00:12:25,550 --> 00:12:34,209
in movies slides to my talk so they may
273
00:12:29,059 --> 00:12:34,209
know what that movie is from very good
274
00:12:34,899 --> 00:12:41,930
in my experience when I was with the DoD
275
00:12:38,930 --> 00:12:43,939
there were many facets to security there
276
00:12:41,930 --> 00:12:45,620
were many different sub disciplines if
277
00:12:43,939 --> 00:12:48,230
you will to security and I just tried to
278
00:12:45,620 --> 00:12:50,809
capture a few and I tried to add a few I
279
00:12:48,230 --> 00:12:52,759
googled I saw what new ones are out
280
00:12:50,809 --> 00:12:54,500
there so I don't even know if I could
281
00:12:52,759 --> 00:12:57,439
tell you what all of those things are
282
00:12:54,500 --> 00:12:59,360
but and the government likes to
283
00:12:57,439 --> 00:13:01,719
abbreviate abbreviate everything with
284
00:12:59,360 --> 00:13:04,610
one syllable or two syllable words so
285
00:13:01,720 --> 00:13:06,559
COMSEC is communication security that's
286
00:13:04,610 --> 00:13:09,290
what it was called when I started NSA
287
00:13:06,559 --> 00:13:13,689
the later became information security or
288
00:13:09,290 --> 00:13:17,510
InfoSec OPSEC is operational security
289
00:13:13,689 --> 00:13:20,270
emsac is a mission security you get the
290
00:13:17,510 --> 00:13:21,950
Sigyn signals intelligence satellite
291
00:13:20,270 --> 00:13:23,660
intelligence communications intelligence
292
00:13:21,950 --> 00:13:25,820
and on and on and on and on
293
00:13:23,660 --> 00:13:29,980
a lot of different disciplines a lot of
294
00:13:25,820 --> 00:13:32,780
different things go into DoD security
295
00:13:29,980 --> 00:13:35,750
but the way I was taught the way I was
296
00:13:32,780 --> 00:13:38,750
classically trained was we learned this
297
00:13:35,750 --> 00:13:41,870
risk equation and you know this is not
298
00:13:38,750 --> 00:13:44,390
new I'm sure most of you have at least
299
00:13:41,870 --> 00:13:45,920
heard of the risk equation if not you
300
00:13:44,390 --> 00:13:48,290
know have worked with it or somewhat
301
00:13:45,920 --> 00:13:49,910
familiar with it and you can see some of
302
00:13:48,290 --> 00:13:52,490
the words in it that certainly is what
303
00:13:49,910 --> 00:13:54,650
drives our security industry we're all
304
00:13:52,490 --> 00:13:56,750
about vulnerabilities we're a little bit
305
00:13:54,650 --> 00:14:00,800
about threats we're talking about risks
306
00:13:56,750 --> 00:14:04,190
all the time but the basic risk equation
307
00:14:00,800 --> 00:14:06,349
is you have this concept of if you're an
308
00:14:04,190 --> 00:14:08,900
organization if you're an entity if
309
00:14:06,350 --> 00:14:12,080
you're a country if you're the DoD the
310
00:14:08,900 --> 00:14:14,360
military you're you have something that
311
00:14:12,080 --> 00:14:16,340
is at risk there is some sort of risk to
312
00:14:14,360 --> 00:14:18,830
you and that risk can be measured and
313
00:14:16,340 --> 00:14:21,290
there's a thousand different algorithms
314
00:14:18,830 --> 00:14:23,120
and calculations you can do none of them
315
00:14:21,290 --> 00:14:26,420
are perfect so I just try to simplify it
316
00:14:23,120 --> 00:14:28,010
but risk is some sort of combination of
317
00:14:26,420 --> 00:14:31,189
the vulnerabilities that are present
318
00:14:28,010 --> 00:14:34,220
within your environment the threats the
319
00:14:31,190 --> 00:14:37,100
that are coming against your
320
00:14:34,220 --> 00:14:39,560
organization and this is and this
321
00:14:37,100 --> 00:14:41,150
combination is hopefully reduced by
322
00:14:39,560 --> 00:14:43,819
whatever you do in terms of security
323
00:14:41,150 --> 00:14:46,880
what we used to call countermeasures so
324
00:14:43,820 --> 00:14:49,760
you know very simplistic algorithm very
325
00:14:46,880 --> 00:14:52,730
simplistic equation but the idea is
326
00:14:49,760 --> 00:14:54,890
you're trying to reduce risk lower risk
327
00:14:52,730 --> 00:14:56,990
and you have three options you either
328
00:14:54,890 --> 00:14:59,300
reduce vulnerabilities you reduce the
329
00:14:56,990 --> 00:15:00,860
threat or you apply more countermeasures
330
00:14:59,300 --> 00:15:03,650
makes sense right
331
00:15:00,860 --> 00:15:05,690
as I was putting this together it
332
00:15:03,650 --> 00:15:10,420
occurred to me the risk equation is it
333
00:15:05,690 --> 00:15:15,080
applies to the DoD risk is almost often
334
00:15:10,420 --> 00:15:17,810
in reference to human life whether it's
335
00:15:15,080 --> 00:15:19,310
a branch of the military and you're
336
00:15:17,810 --> 00:15:22,130
trying to determine what the risk of
337
00:15:19,310 --> 00:15:24,109
deploying forces are if you know in
338
00:15:22,130 --> 00:15:27,070
terms of national security it might be a
339
00:15:24,110 --> 00:15:29,020
risk to citizens it might be a risk to
340
00:15:27,070 --> 00:15:31,810
diplomats and
341
00:15:29,020 --> 00:15:34,959
citizens that are deployed abroad so
342
00:15:31,810 --> 00:15:36,430
essentially and I'm probably over
343
00:15:34,959 --> 00:15:38,829
generalizing a little bit but
344
00:15:36,430 --> 00:15:41,020
essentially risk in the sense of the DoD
345
00:15:38,830 --> 00:15:43,870
in the sense of national security in the
346
00:15:41,020 --> 00:15:46,029
sense of defense of our country can be
347
00:15:43,870 --> 00:15:50,230
thought of mostly in terms of human life
348
00:15:46,029 --> 00:15:53,050
and because of that the approach that I
349
00:15:50,230 --> 00:15:57,730
learned to security in the DoD was not
350
00:15:53,050 --> 00:15:59,319
not so much at all you know no costs you
351
00:15:57,730 --> 00:16:01,510
know there was no limitation to budget
352
00:15:59,320 --> 00:16:02,800
but it was sort of like that you know it
353
00:16:01,510 --> 00:16:04,510
didn't matter what the cost was
354
00:16:02,800 --> 00:16:07,180
associated with it didn't matter what
355
00:16:04,510 --> 00:16:09,310
the budgets were we had to do security a
356
00:16:07,180 --> 00:16:11,439
certain way we had to do security right
357
00:16:09,310 --> 00:16:13,599
we had to do a security to a certain
358
00:16:11,440 --> 00:16:19,060
degree and all those elements that I
359
00:16:13,600 --> 00:16:21,010
showed you and more were involved in the
360
00:16:19,060 --> 00:16:22,750
way I was taught the equation loner
361
00:16:21,010 --> 00:16:24,520
abilities I asked I go to conferences
362
00:16:22,750 --> 00:16:27,010
and trade shows all the time and
363
00:16:24,520 --> 00:16:29,560
especially when I see vendors splashing
364
00:16:27,010 --> 00:16:31,540
the big screens banners saying they do
365
00:16:29,560 --> 00:16:32,680
vulnerability or they do threat I'll go
366
00:16:31,540 --> 00:16:35,709
up and ask them what is the
367
00:16:32,680 --> 00:16:37,270
vulnerability try it yourself sometimes
368
00:16:35,709 --> 00:16:38,500
see what kind of different answers you
369
00:16:37,270 --> 00:16:41,470
get or even better
370
00:16:38,500 --> 00:16:43,959
what's a threat I was trained that
371
00:16:41,470 --> 00:16:46,180
vulnerability is a weakness period leave
372
00:16:43,959 --> 00:16:50,020
it at that don't get into details it's a
373
00:16:46,180 --> 00:16:52,149
weakness threat the way I was trained is
374
00:16:50,020 --> 00:16:55,870
the who that is trying to do something
375
00:16:52,149 --> 00:16:59,740
bad to you but you go out and ask people
376
00:16:55,870 --> 00:17:02,380
and maybe even some of you have you know
377
00:16:59,740 --> 00:17:04,750
similar ideas but threat I think is most
378
00:17:02,380 --> 00:17:08,109
often described in our industry is more
379
00:17:04,750 --> 00:17:10,209
of what I used to or I was taught was a
380
00:17:08,109 --> 00:17:12,399
threat agent its what the threat the who
381
00:17:10,209 --> 00:17:15,600
is doing to you or how they're doing it
382
00:17:12,400 --> 00:17:18,220
it's the thing that's happening which
383
00:17:15,599 --> 00:17:20,740
I'm not trying to be picky uni I'm not
384
00:17:18,220 --> 00:17:22,839
trying to nitpick but again the way I
385
00:17:20,740 --> 00:17:25,959
was classically trained the threats or
386
00:17:22,839 --> 00:17:28,000
the to it's not the weather the hell and
387
00:17:25,959 --> 00:17:30,910
then finally the countermeasures are all
388
00:17:28,000 --> 00:17:32,890
the things that you do to try to protect
389
00:17:30,910 --> 00:17:34,929
yourself whether that's driving down
390
00:17:32,890 --> 00:17:38,020
vulnerabilities or driving down threats
391
00:17:34,929 --> 00:17:39,850
or other active corrective actions
392
00:17:38,020 --> 00:17:43,270
whether it's monitoring whether it's
393
00:17:39,850 --> 00:17:45,280
logging whether it's increased perimeter
394
00:17:43,270 --> 00:17:47,350
security and again that's not not even
395
00:17:45,280 --> 00:17:49,840
necessarily in the context of networks
396
00:17:47,350 --> 00:17:52,480
but even in the context of physical
397
00:17:49,840 --> 00:17:55,059
security applying more guards building a
398
00:17:52,480 --> 00:17:57,670
bigger wall building a bigger sense
399
00:17:55,059 --> 00:17:59,620
putting concertina wire on the top of
400
00:17:57,670 --> 00:18:00,730
the fence and so on and so forth these
401
00:17:59,620 --> 00:18:03,189
are all the things that are done to
402
00:18:00,730 --> 00:18:06,220
protect against the threat and hopefully
403
00:18:03,190 --> 00:18:08,940
reduce not necessarily who's doing it
404
00:18:06,220 --> 00:18:13,120
Eve but their ability to do something -
405
00:18:08,940 --> 00:18:16,870
and hopefully this is familiar to you as
406
00:18:13,120 --> 00:18:19,989
well security often had to do with data
407
00:18:16,870 --> 00:18:22,570
security communications in the specific
408
00:18:19,990 --> 00:18:25,090
instance of NSA and we were classically
409
00:18:22,570 --> 00:18:26,860
trained that but we you know what could
410
00:18:25,090 --> 00:18:29,050
go wrong what you're trying to do with
411
00:18:26,860 --> 00:18:30,850
protecting data boils down to three
412
00:18:29,050 --> 00:18:34,600
different things confidentiality and
413
00:18:30,850 --> 00:18:36,669
integrity and availability so you know
414
00:18:34,600 --> 00:18:39,250
those should all these familiar concepts
415
00:18:36,670 --> 00:18:41,380
these are not new things the the
416
00:18:39,250 --> 00:18:44,770
internet and technology computer world
417
00:18:41,380 --> 00:18:46,690
is is introduced a few more nuances to
418
00:18:44,770 --> 00:18:48,970
these three but these are still the
419
00:18:46,690 --> 00:18:51,670
three basic things most of what we do in
420
00:18:48,970 --> 00:18:55,950
this industry drives back to one of
421
00:18:51,670 --> 00:18:55,950
these three things with a few exceptions
422
00:18:56,550 --> 00:19:01,540
my first office at NSA I was in the I
423
00:18:59,770 --> 00:19:03,700
was on the defensive side and I was in
424
00:19:01,540 --> 00:19:06,790
the office I was in the office that
425
00:19:03,700 --> 00:19:08,800
produced one-time pads yes we were using
426
00:19:06,790 --> 00:19:10,480
them in the 80s in fact I think we're
427
00:19:08,800 --> 00:19:12,129
still using them somewhere today but I
428
00:19:10,480 --> 00:19:14,890
don't quote me because I haven't worked
429
00:19:12,130 --> 00:19:16,480
for the government in many years but if
430
00:19:14,890 --> 00:19:19,090
you're not familiar with the one-time
431
00:19:16,480 --> 00:19:21,250
pad the one-time pad is perfect
432
00:19:19,090 --> 00:19:24,520
encryption so long as it's used properly
433
00:19:21,250 --> 00:19:27,490
which is one time it is not
434
00:19:24,520 --> 00:19:29,290
cryptographically solvable most of the
435
00:19:27,490 --> 00:19:31,110
other cryptography that is involved
436
00:19:29,290 --> 00:19:34,480
these days especially in our machine
437
00:19:31,110 --> 00:19:37,689
computer networking world our machine
438
00:19:34,480 --> 00:19:40,570
generated are computationally formulated
439
00:19:37,690 --> 00:19:42,940
or algorithmically based which means
440
00:19:40,570 --> 00:19:45,309
that although the numbers might be large
441
00:19:42,940 --> 00:19:48,640
there is a cryptographic solution it can
442
00:19:45,309 --> 00:19:51,440
be broken it can be solved given enough
443
00:19:48,640 --> 00:19:53,870
time not so with the one-time pad
444
00:19:51,440 --> 00:19:55,820
so my simplistic attitude having started
445
00:19:53,870 --> 00:19:57,799
in that office is it's all been downhill
446
00:19:55,820 --> 00:20:00,500
ever since we decided not to use a
447
00:19:57,799 --> 00:20:03,110
one-time pad perfect encryption perfect
448
00:20:00,500 --> 00:20:05,149
security we've given that up for speed
449
00:20:03,110 --> 00:20:08,750
and convenience and the ability to
450
00:20:05,149 --> 00:20:12,049
stream video and stuff like that so then
451
00:20:08,750 --> 00:20:14,570
downhill from that so again getting back
452
00:20:12,049 --> 00:20:18,379
to this concept we don't need DoD level
453
00:20:14,570 --> 00:20:21,320
security some of the reasons that I've
454
00:20:18,379 --> 00:20:23,689
seen why do D level security doesn't
455
00:20:21,320 --> 00:20:26,269
seem to be sticking there doesn't seem
456
00:20:23,690 --> 00:20:28,610
to be much interest in it are some of
457
00:20:26,269 --> 00:20:32,509
these ideas and I think most importantly
458
00:20:28,610 --> 00:20:34,969
is it it may very well be very expensive
459
00:20:32,509 --> 00:20:38,450
it may just be simply a perception that
460
00:20:34,970 --> 00:20:41,149
it's more expensive but certainly there
461
00:20:38,450 --> 00:20:46,750
is a monetary cost to doing more than
462
00:20:41,149 --> 00:20:48,860
than what you're doing in the near term
463
00:20:46,750 --> 00:20:50,210
there's a lot of companies out there a
464
00:20:48,860 --> 00:20:51,769
lot of organizations that I've worked
465
00:20:50,210 --> 00:20:53,450
with over the years but just simply
466
00:20:51,769 --> 00:20:56,870
didn't think they needed it you know we
467
00:20:53,450 --> 00:20:58,970
sell shoes we sell underwears when Home
468
00:20:56,870 --> 00:21:01,580
Depot was hacked a couple years ago the
469
00:20:58,970 --> 00:21:04,210
CEO was literally on record as saying we
470
00:21:01,580 --> 00:21:08,090
don't care about security we sell
471
00:21:04,210 --> 00:21:09,980
cameras yeah so it's real there's a lot
472
00:21:08,090 --> 00:21:13,418
of attitudes out there like why do we
473
00:21:09,980 --> 00:21:16,039
need to bother with all this security a
474
00:21:13,419 --> 00:21:17,360
lot of these companies until they got on
475
00:21:16,039 --> 00:21:19,100
the Internet they really didn't have to
476
00:21:17,360 --> 00:21:21,350
worry about security in the sense of
477
00:21:19,100 --> 00:21:23,240
networking security internet security
478
00:21:21,350 --> 00:21:26,330
all this stuff that we're doing these
479
00:21:23,240 --> 00:21:28,970
days and that's legitimate to some point
480
00:21:26,330 --> 00:21:30,590
they didn't need to but they're they're
481
00:21:28,970 --> 00:21:32,539
in a connected world and I've always
482
00:21:30,590 --> 00:21:35,059
argued with my customers that you know
483
00:21:32,539 --> 00:21:36,889
there's a price to all that convenience
484
00:21:35,059 --> 00:21:39,408
that you're getting especially in the
485
00:21:36,889 --> 00:21:41,299
credit card world how many people are
486
00:21:39,409 --> 00:21:45,649
old enough to remember using a credit
487
00:21:41,299 --> 00:21:48,950
card back in the days when the clerk
488
00:21:45,649 --> 00:21:52,250
that was accepting your card would pull
489
00:21:48,950 --> 00:21:53,600
out a little brochure or magazine and
490
00:21:52,250 --> 00:21:55,340
flip through it to look up and see if
491
00:21:53,600 --> 00:21:58,669
your card was listed say maybe remember
492
00:21:55,340 --> 00:22:01,820
that year old year old hero
493
00:21:58,670 --> 00:22:03,650
more recently it would be you submit
494
00:22:01,820 --> 00:22:05,480
your credit card that bring out the cash
495
00:22:03,650 --> 00:22:08,420
register they turn around pick up the
496
00:22:05,480 --> 00:22:10,880
telephone dial an 800 number and wait
497
00:22:08,420 --> 00:22:13,280
for an operator and they would read off
498
00:22:10,880 --> 00:22:14,960
the transaction information you know the
499
00:22:13,280 --> 00:22:16,670
amount the credit card number they wait
500
00:22:14,960 --> 00:22:20,840
for the authorization anybody remember
501
00:22:16,670 --> 00:22:24,620
that yeah how long did that typically
502
00:22:20,840 --> 00:22:27,530
take 3 minutes 5 minutes 8 minutes 10
503
00:22:24,620 --> 00:22:30,199
minutes whereas nowadays you walked up
504
00:22:27,530 --> 00:22:32,149
well chip chip and signature
505
00:22:30,200 --> 00:22:34,580
notwithstanding because that thing's a
506
00:22:32,150 --> 00:22:35,600
bear but you swipe your card a few
507
00:22:34,580 --> 00:22:37,370
seconds later you've got the
508
00:22:35,600 --> 00:22:39,980
authorization and you're out so now
509
00:22:37,370 --> 00:22:41,689
we've regressed in using the chips which
510
00:22:39,980 --> 00:22:44,300
I don't understand but that another
511
00:22:41,690 --> 00:22:46,160
story for another day the point I try to
512
00:22:44,300 --> 00:22:48,560
make to these companies over the years
513
00:22:46,160 --> 00:22:49,910
is you know how many how many people are
514
00:22:48,560 --> 00:22:51,919
you moving through the line how more
515
00:22:49,910 --> 00:22:54,400
quickly how many more transactions how
516
00:22:51,920 --> 00:22:57,320
much more revenue are you earning
517
00:22:54,400 --> 00:22:59,840
because you're not doing that you know 3
518
00:22:57,320 --> 00:23:02,120
to 5 to 8 to 10 minute process you've
519
00:22:59,840 --> 00:23:04,760
turned it into a 15-second 30-second
520
00:23:02,120 --> 00:23:06,350
process they get that they understand
521
00:23:04,760 --> 00:23:08,450
the dollars and cents and then I say
522
00:23:06,350 --> 00:23:10,929
okay well that comes at a cost and one
523
00:23:08,450 --> 00:23:13,310
of the cost is you need to do security
524
00:23:10,930 --> 00:23:15,530
sometimes it works sometimes it doesn't
525
00:23:13,310 --> 00:23:18,050
the point is they don't have it as a
526
00:23:15,530 --> 00:23:20,210
background so part of sort of winning
527
00:23:18,050 --> 00:23:22,149
this this this thing that we're in of
528
00:23:20,210 --> 00:23:24,980
trying to make companies more secure is
529
00:23:22,150 --> 00:23:27,770
trying to help them understand the
530
00:23:24,980 --> 00:23:31,720
impact of security there's a need to do
531
00:23:27,770 --> 00:23:33,889
security and it generally boils down to
532
00:23:31,720 --> 00:23:39,320
especially in the commercial world of
533
00:23:33,890 --> 00:23:41,090
financial discussion if you haven't
534
00:23:39,320 --> 00:23:43,970
guessed already you know my response to
535
00:23:41,090 --> 00:23:46,699
just you you know we really don't need
536
00:23:43,970 --> 00:23:50,600
do any level security and I'm like yeah
537
00:23:46,700 --> 00:23:53,510
you really do I even updated it up to
538
00:23:50,600 --> 00:23:54,860
the minute and I'm not even sure what to
539
00:23:53,510 --> 00:23:58,790
tell people that are dealing with
540
00:23:54,860 --> 00:24:03,000
malware but hopefully we can discuss
541
00:23:58,790 --> 00:24:05,159
that but and in fact
542
00:24:03,000 --> 00:24:07,530
I may know what the wireless password is
543
00:24:05,160 --> 00:24:11,460
for this hotel it's up there on the
544
00:24:07,530 --> 00:24:12,930
screen but I'm at that hotel I mean not
545
00:24:11,460 --> 00:24:15,690
to use my credit card here anywhere
546
00:24:12,930 --> 00:24:18,990
especially down at the bar cache home
547
00:24:15,690 --> 00:24:21,330
anyway lots of companies continue to be
548
00:24:18,990 --> 00:24:23,400
getting breached companies that you
549
00:24:21,330 --> 00:24:26,159
wouldn't expect you know government
550
00:24:23,400 --> 00:24:30,420
private sector or whatever even security
551
00:24:26,160 --> 00:24:32,960
companies it just seems to be going on
552
00:24:30,420 --> 00:24:36,990
and on and on target was interesting
553
00:24:32,960 --> 00:24:38,790
because in the PCI world the last PCI
554
00:24:36,990 --> 00:24:40,770
organization I was working for we were
555
00:24:38,790 --> 00:24:42,899
actually negotiating to be the Assessors
556
00:24:40,770 --> 00:24:45,510
for target and they actually had a
557
00:24:42,900 --> 00:24:47,940
really good reputation for having a
558
00:24:45,510 --> 00:24:49,560
security staff a rather large security
559
00:24:47,940 --> 00:24:51,240
staff they has invested in the
560
00:24:49,560 --> 00:24:53,610
technology they were doing all the right
561
00:24:51,240 --> 00:24:55,890
things or taking security and standards
562
00:24:53,610 --> 00:24:58,919
seriously and they got popped in an
563
00:24:55,890 --> 00:25:01,290
egregious way and it turns out that they
564
00:24:58,920 --> 00:25:02,220
were missing a few things and I think
565
00:25:01,290 --> 00:25:04,440
some of the things that they were
566
00:25:02,220 --> 00:25:06,510
missing goes back to the point that I'm
567
00:25:04,440 --> 00:25:08,160
hoping to make is there's something
568
00:25:06,510 --> 00:25:10,770
missing when you don't sort of have this
569
00:25:08,160 --> 00:25:13,490
mindset this attitude about security so
570
00:25:10,770 --> 00:25:16,620
let's move on
571
00:25:13,490 --> 00:25:18,830
why I think networks are insecure why I
572
00:25:16,620 --> 00:25:21,739
think organizations continue to lose
573
00:25:18,830 --> 00:25:25,500
continue to be breached is because
574
00:25:21,740 --> 00:25:27,690
essentially too often especially in the
575
00:25:25,500 --> 00:25:29,820
commercial world companies want to fast
576
00:25:27,690 --> 00:25:32,250
forward to the bottom line just tell me
577
00:25:29,820 --> 00:25:34,350
what do I have to buy where do I need to
578
00:25:32,250 --> 00:25:36,630
put it how much is it going to cost and
579
00:25:34,350 --> 00:25:39,300
then they make their decision they kind
580
00:25:36,630 --> 00:25:41,130
of skip over the classical things that I
581
00:25:39,300 --> 00:25:41,730
and others that have come from the
582
00:25:41,130 --> 00:25:44,430
military
583
00:25:41,730 --> 00:25:48,450
the DoD have tried to teach over the
584
00:25:44,430 --> 00:25:49,950
years and some degree are our industry
585
00:25:48,450 --> 00:25:51,900
has tried to teach is that you know you
586
00:25:49,950 --> 00:25:53,610
need to put processes in place you need
587
00:25:51,900 --> 00:25:55,770
to have some sort of policy or program
588
00:25:53,610 --> 00:25:57,300
you need to have some organization and
589
00:25:55,770 --> 00:25:59,190
sense of what you're trying to
590
00:25:57,300 --> 00:26:01,800
accomplish and they're like a yeah yeah
591
00:25:59,190 --> 00:26:03,510
yeah that's boring tell me what I need
592
00:26:01,800 --> 00:26:08,040
to buy you tell me where I need to put
593
00:26:03,510 --> 00:26:09,750
it so lots of different reasons and but
594
00:26:08,040 --> 00:26:11,480
they boil up I think to a couple
595
00:26:09,750 --> 00:26:13,940
different categories
596
00:26:11,480 --> 00:26:15,530
and if we're honest with ourselves in
597
00:26:13,940 --> 00:26:16,820
our industry I don't think we've helped
598
00:26:15,530 --> 00:26:20,450
a whole lot and I'm not saying us
599
00:26:16,820 --> 00:26:22,070
individually but you know it's a whole
600
00:26:20,450 --> 00:26:25,840
lot easier if you're in sales and
601
00:26:22,070 --> 00:26:28,639
marketing for a security vendor to just
602
00:26:25,840 --> 00:26:30,649
you know write up the sale how many of
603
00:26:28,640 --> 00:26:33,350
you need I think you need six this is
604
00:26:30,650 --> 00:26:35,720
how much you know it'll cost how many
605
00:26:33,350 --> 00:26:38,240
can I put you down for rather than walk
606
00:26:35,720 --> 00:26:40,430
through that complicated discussion or I
607
00:26:38,240 --> 00:26:44,000
was a consultant for many years it's a
608
00:26:40,430 --> 00:26:46,820
whole lot easier to buy a product than
609
00:26:44,000 --> 00:26:48,680
it is to buy a consulting engagement
610
00:26:46,820 --> 00:26:50,929
where you end up with a written report
611
00:26:48,680 --> 00:26:52,760
where in theory some of the people that
612
00:26:50,930 --> 00:26:54,500
are your customer already knew what
613
00:26:52,760 --> 00:26:56,600
you're going to tell them in fact very
614
00:26:54,500 --> 00:26:59,810
often as a as a consultant I would go in
615
00:26:56,600 --> 00:27:02,480
and say to certain people even in even
616
00:26:59,810 --> 00:27:04,850
in the PCI times what are you telling
617
00:27:02,480 --> 00:27:07,160
your management that they're not hearing
618
00:27:04,850 --> 00:27:09,530
because especially with PCI is that I've
619
00:27:07,160 --> 00:27:11,720
got this cool tape that I where it says
620
00:27:09,530 --> 00:27:14,660
PCI and your management will listen
621
00:27:11,720 --> 00:27:15,770
because if it gets labeled PCI they're
622
00:27:14,660 --> 00:27:17,960
going to do it they're going to write
623
00:27:15,770 --> 00:27:19,280
the check just to make it go away that
624
00:27:17,960 --> 00:27:22,310
was one of the ways I was able to win
625
00:27:19,280 --> 00:27:26,210
win friends with IT and information
626
00:27:22,310 --> 00:27:28,570
security people but but it's not about
627
00:27:26,210 --> 00:27:34,310
the customers it's about us
628
00:27:28,570 --> 00:27:36,230
again using PCI as an example roughly
629
00:27:34,310 --> 00:27:39,620
99% of the companies in the world that
630
00:27:36,230 --> 00:27:42,290
have to do PCI don't talk to a qsa and
631
00:27:39,620 --> 00:27:44,090
yet the whole piece of PCI ecosystem is
632
00:27:42,290 --> 00:27:46,820
hinged on the security expert being the
633
00:27:44,090 --> 00:27:49,250
qsa and if you have a question ask York
634
00:27:46,820 --> 00:27:50,960
USA if you're not sure of something if
635
00:27:49,250 --> 00:27:54,110
you need an interpretation if you need a
636
00:27:50,960 --> 00:27:56,270
risk-based conclusion drawn ask you qsa
637
00:27:54,110 --> 00:27:58,790
that's great if you're engaged with the
638
00:27:56,270 --> 00:28:01,400
qsa but literally 99% of the companies
639
00:27:58,790 --> 00:28:05,330
out there don't talk to a qsa who are
640
00:28:01,400 --> 00:28:09,220
they left to talk to vendors vendors in
641
00:28:05,330 --> 00:28:12,050
case you haven't figured it out yet lie
642
00:28:09,220 --> 00:28:13,610
vendors and I used to say that all the
643
00:28:12,050 --> 00:28:14,990
time and I've learned having worked for
644
00:28:13,610 --> 00:28:17,540
a vendor that they're not always
645
00:28:14,990 --> 00:28:19,880
shamelessly lying sometimes they're just
646
00:28:17,540 --> 00:28:21,560
ignorant and unaware and they don't know
647
00:28:19,880 --> 00:28:23,860
anything more than the customer so
648
00:28:21,560 --> 00:28:26,678
they're just spouting off the buzzwords
649
00:28:23,860 --> 00:28:30,070
the marketing pitches and fire personas
650
00:28:26,679 --> 00:28:32,470
in the use cases there's this collective
651
00:28:30,070 --> 00:28:35,110
lack of understanding and knowledge in
652
00:28:32,470 --> 00:28:35,740
what why are we doing this what's this
653
00:28:35,110 --> 00:28:37,719
all about
654
00:28:35,740 --> 00:28:41,590
and that's I guess what I'm trying to
655
00:28:37,720 --> 00:28:44,020
hammer home more than anything so just a
656
00:28:41,590 --> 00:28:46,059
few lessons of what I think we can do in
657
00:28:44,020 --> 00:28:48,700
terms of looking at DoD level security
658
00:28:46,059 --> 00:28:50,440
there's probably more and again feel
659
00:28:48,700 --> 00:28:52,179
free to disagree with me but these are
660
00:28:50,440 --> 00:28:54,760
some areas that I've thought about that
661
00:28:52,179 --> 00:28:57,250
I think we've sort of skipped or omitted
662
00:28:54,760 --> 00:29:00,820
or not emphasized enough as we try to do
663
00:28:57,250 --> 00:29:14,620
this thing we call InfoSec in today's
664
00:29:00,820 --> 00:29:17,799
world movie very good and there's the
665
00:29:14,620 --> 00:29:20,949
proof they're actually sitting on a
666
00:29:17,799 --> 00:29:22,750
crazy supercomputer which the one I used
667
00:29:20,950 --> 00:29:24,010
to use at NSA is now in the NSA
668
00:29:22,750 --> 00:29:26,650
Cryptologic Museum
669
00:29:24,010 --> 00:29:29,169
so that's ancient technology that it
670
00:29:26,650 --> 00:29:31,900
used to rock because it was so fast that
671
00:29:29,169 --> 00:29:35,290
anyway the point of the movie sneakers
672
00:29:31,900 --> 00:29:37,990
the the point of this conversation that
673
00:29:35,290 --> 00:29:41,309
the protagonist and the antagonist are
674
00:29:37,990 --> 00:29:44,320
having is that the the world is at war
675
00:29:41,309 --> 00:29:46,330
paraphrasing and the war is not being
676
00:29:44,320 --> 00:29:48,428
fought with bullets it's being fought
677
00:29:46,330 --> 00:29:52,149
with data it's all about the information
678
00:29:48,429 --> 00:29:56,110
and I think that's true today as it's
679
00:29:52,150 --> 00:29:57,760
been for for decades the battles that
680
00:29:56,110 --> 00:29:59,860
were fighting the war that we're
681
00:29:57,760 --> 00:30:02,260
fighting it's all about the information
682
00:29:59,860 --> 00:30:04,540
and yet too often especially in the
683
00:30:02,260 --> 00:30:05,860
commercial world we're not focused on
684
00:30:04,540 --> 00:30:10,090
the very thing that we're trying to
685
00:30:05,860 --> 00:30:12,490
protect we focus on the technology that
686
00:30:10,090 --> 00:30:14,290
we think is being used to how store
687
00:30:12,490 --> 00:30:14,770
transmit the data that we're trying to
688
00:30:14,290 --> 00:30:16,990
protect
689
00:30:14,770 --> 00:30:20,320
and that's nuance and it might be
690
00:30:16,990 --> 00:30:22,990
nitpicky but I think it's significant
691
00:30:20,320 --> 00:30:26,320
gap when the focus is so often on the
692
00:30:22,990 --> 00:30:28,270
technology and not on what's on the
693
00:30:26,320 --> 00:30:32,290
technology that we might be interested
694
00:30:28,270 --> 00:30:34,300
in so disagree or agree with me but that
695
00:30:32,290 --> 00:30:35,360
is that that's what I'm putting forth to
696
00:30:34,300 --> 00:30:38,180
you guys
697
00:30:35,360 --> 00:30:39,590
so in terms of the risk equation when I
698
00:30:38,180 --> 00:30:42,320
think of the risk equation in the
699
00:30:39,590 --> 00:30:46,639
commercial world what immediately gets
700
00:30:42,320 --> 00:30:50,090
added to this equation is money risk as
701
00:30:46,640 --> 00:30:53,150
I said in the dod in terms of national
702
00:30:50,090 --> 00:30:56,360
security can be expressed in human life
703
00:30:53,150 --> 00:30:58,340
the risk in the in the real world is
704
00:30:56,360 --> 00:31:00,919
really dollars and cents it really boils
705
00:30:58,340 --> 00:31:02,750
down to money how much money you're
706
00:31:00,920 --> 00:31:04,670
standing to lose how much money do you
707
00:31:02,750 --> 00:31:08,000
you know are you comfortable with being
708
00:31:04,670 --> 00:31:10,430
find what are the liabilities if you do
709
00:31:08,000 --> 00:31:12,140
or don't do certain things and then of
710
00:31:10,430 --> 00:31:15,050
course to try to reduce your
711
00:31:12,140 --> 00:31:17,270
vulnerabilities costs money to try to do
712
00:31:15,050 --> 00:31:19,129
something about your threats costs money
713
00:31:17,270 --> 00:31:21,950
all the countermeasures that we do
714
00:31:19,130 --> 00:31:27,740
counts money but because it's all about
715
00:31:21,950 --> 00:31:29,360
data what I'm proposing is you need to
716
00:31:27,740 --> 00:31:35,000
understand the value of the data that
717
00:31:29,360 --> 00:31:36,979
you're trying to protect in the DoD in
718
00:31:35,000 --> 00:31:39,710
the military and the government there's
719
00:31:36,980 --> 00:31:41,360
this concept of data classification not
720
00:31:39,710 --> 00:31:42,980
a new concept a lot of companies
721
00:31:41,360 --> 00:31:44,149
understand this and they know that they
722
00:31:42,980 --> 00:31:51,530
have to do it because of whatever
723
00:31:44,150 --> 00:31:53,750
regulatory standard but in the DoD there
724
00:31:51,530 --> 00:31:57,320
is a big difference between secret top
725
00:31:53,750 --> 00:32:00,800
secret confidential these are these were
726
00:31:57,320 --> 00:32:03,080
very distinct classifications that had
727
00:32:00,800 --> 00:32:05,930
very distinct differences in terms of
728
00:32:03,080 --> 00:32:09,679
data handling data storage data
729
00:32:05,930 --> 00:32:12,560
retention that aren't in my experience
730
00:32:09,680 --> 00:32:14,540
matched in the commercial world more
731
00:32:12,560 --> 00:32:16,850
often than not when I've been out at a
732
00:32:14,540 --> 00:32:18,740
customer site and they are required to
733
00:32:16,850 --> 00:32:22,209
do data classification it's sort of
734
00:32:18,740 --> 00:32:24,200
binary it's company confidential or
735
00:32:22,210 --> 00:32:26,240
unclassified we don't care about it and
736
00:32:24,200 --> 00:32:28,760
so they could have lots of different
737
00:32:26,240 --> 00:32:30,050
types of data that they care about but
738
00:32:28,760 --> 00:32:33,950
they just kind of lump it into one
739
00:32:30,050 --> 00:32:38,389
category in the government the best way
740
00:32:33,950 --> 00:32:39,380
that I can give you an analogy I'm just
741
00:32:38,390 --> 00:32:44,300
going to talk about it because I don't
742
00:32:39,380 --> 00:32:46,940
have the picture is in the way that it
743
00:32:44,300 --> 00:32:48,720
was explained to me and especially in
744
00:32:46,940 --> 00:32:50,520
terms of sort of the life expected
745
00:32:48,720 --> 00:32:54,090
the value of data in terms of how long
746
00:32:50,520 --> 00:32:56,010
it's it's valuable data was top-secret
747
00:32:54,090 --> 00:33:00,330
information that has to be protected
748
00:32:56,010 --> 00:33:02,250
forever most often what is secret about
749
00:33:00,330 --> 00:33:04,199
this and gosh this might have been in
750
00:33:02,250 --> 00:33:07,169
the news in the last couple days or
751
00:33:04,200 --> 00:33:09,510
weeks so think about this as you as you
752
00:33:07,169 --> 00:33:12,720
listen to media reports top-secret
753
00:33:09,510 --> 00:33:14,700
information very often is classified at
754
00:33:12,720 --> 00:33:18,210
that level not because of the data
755
00:33:14,700 --> 00:33:20,190
itself but because of how that data was
756
00:33:18,210 --> 00:33:24,179
obtained what we call methods and
757
00:33:20,190 --> 00:33:25,980
sources it's who knows that data how
758
00:33:24,179 --> 00:33:31,289
many people in the world know that data
759
00:33:25,980 --> 00:33:33,539
and and or how was that data conveyed in
760
00:33:31,289 --> 00:33:35,370
what circumstance you know sometimes it
761
00:33:33,539 --> 00:33:38,879
might be a conversation between two or
762
00:33:35,370 --> 00:33:40,699
three people inside a conference room in
763
00:33:38,880 --> 00:33:43,650
a certain building in a certain
764
00:33:40,700 --> 00:33:45,330
nation-state that is in ours and if it
765
00:33:43,650 --> 00:33:47,940
was revealed that that information was
766
00:33:45,330 --> 00:33:49,918
known by us you would make the logical
767
00:33:47,940 --> 00:33:52,080
conclusion of one or two things either
768
00:33:49,919 --> 00:33:58,049
the room was bugged or somebody in that
769
00:33:52,080 --> 00:34:00,210
room as an agent is a spy so in the old
770
00:33:58,049 --> 00:34:03,168
days very often if that information was
771
00:34:00,210 --> 00:34:05,909
discovered and they didn't find bugs
772
00:34:03,169 --> 00:34:08,520
people ended up missing so again it was
773
00:34:05,909 --> 00:34:11,970
a human life thing so the top-secret
774
00:34:08,520 --> 00:34:13,949
concept is again more often the methods
775
00:34:11,969 --> 00:34:17,489
and sources how the information is a
776
00:34:13,949 --> 00:34:20,158
tape now another example might be secret
777
00:34:17,489 --> 00:34:23,279
information again the analogy that I was
778
00:34:20,159 --> 00:34:25,740
given when I was learning this was think
779
00:34:23,280 --> 00:34:27,750
of a battlefield and and you've got a
780
00:34:25,739 --> 00:34:29,638
unit that's being pinned down by enemy
781
00:34:27,750 --> 00:34:31,889
gunfire there's a machine-gun nest
782
00:34:29,639 --> 00:34:35,099
there's mortar fire and so they want to
783
00:34:31,889 --> 00:34:37,169
call in an airstrike it's critical when
784
00:34:35,099 --> 00:34:39,929
they're calling in that airstrike to
785
00:34:37,168 --> 00:34:41,908
give the right coordinates and back in
786
00:34:39,929 --> 00:34:44,339
those days it was latitude and longitude
787
00:34:41,909 --> 00:34:46,560
nowadays I'm sure they use GPS and we
788
00:34:44,339 --> 00:34:50,149
got the drones and everything but you
789
00:34:46,560 --> 00:34:53,940
know think Korea think Vietnam thank you
790
00:34:50,149 --> 00:34:55,980
early early things in the desert you
791
00:34:53,940 --> 00:34:57,330
call in an airstrike it's really really
792
00:34:55,980 --> 00:34:59,040
important that you get the coordinates
793
00:34:57,330 --> 00:34:59,529
right so the bombs are dropping on the
794
00:34:59,040 --> 00:35:03,640
bag
795
00:34:59,530 --> 00:35:05,770
or the drones hitting the bad guy but 30
796
00:35:03,640 --> 00:35:08,049
minutes later once the airstrike has
797
00:35:05,770 --> 00:35:10,120
come in the fact that you were standing
798
00:35:08,050 --> 00:35:11,620
out there is a coordinates it's not
799
00:35:10,120 --> 00:35:14,109
really that important so the life
800
00:35:11,620 --> 00:35:19,480
expectancy is very short and that drives
801
00:35:14,110 --> 00:35:21,190
down the classification my point of all
802
00:35:19,480 --> 00:35:22,690
that is we don't really in the
803
00:35:21,190 --> 00:35:24,880
commercial world spend a whole lot of
804
00:35:22,690 --> 00:35:27,460
time distinguishing data and figuring
805
00:35:24,880 --> 00:35:29,500
out what the value is what the value is
806
00:35:27,460 --> 00:35:33,280
in terms of confidentiality integrity
807
00:35:29,500 --> 00:35:34,510
and availability we tend to just blanket
808
00:35:33,280 --> 00:35:35,890
everything we've got to protect the
809
00:35:34,510 --> 00:35:38,440
whole network but we got to protect
810
00:35:35,890 --> 00:35:39,730
everything at the same degree at the to
811
00:35:38,440 --> 00:35:41,470
whatever degree we think is appropriate
812
00:35:39,730 --> 00:35:43,240
we got to eliminate all the
813
00:35:41,470 --> 00:35:46,149
vulnerabilities without understanding
814
00:35:43,240 --> 00:35:50,770
that this server over here of course
815
00:35:46,150 --> 00:35:52,990
it's now in the cloud has vital research
816
00:35:50,770 --> 00:35:55,420
and development data that's under
817
00:35:52,990 --> 00:35:58,089
government contract and it's vital to
818
00:35:55,420 --> 00:36:01,810
national security interests versus
819
00:35:58,090 --> 00:36:03,550
payroll pirard for our employees versus
820
00:36:01,810 --> 00:36:05,650
customer information that were
821
00:36:03,550 --> 00:36:09,040
collecting different types of data
822
00:36:05,650 --> 00:36:11,320
different types of sensitivities
823
00:36:09,040 --> 00:36:13,150
criticality different types of values
824
00:36:11,320 --> 00:36:16,570
and yet we don't in the commercial world
825
00:36:13,150 --> 00:36:18,550
seem to quote seem to divide and conquer
826
00:36:16,570 --> 00:36:20,920
and understand what it is we're
827
00:36:18,550 --> 00:36:22,570
protecting we just do this blanket the
828
00:36:20,920 --> 00:36:26,800
network needs to be secure and it's not
829
00:36:22,570 --> 00:36:28,420
it's bad gluten do another concept is
830
00:36:26,800 --> 00:36:30,910
what used to be called security and
831
00:36:28,420 --> 00:36:33,640
depth we would call it more likely
832
00:36:30,910 --> 00:36:36,879
segmentation or isolation in today's
833
00:36:33,640 --> 00:36:38,740
networking world but this is an aerial
834
00:36:36,880 --> 00:36:41,560
photograph of a city that was
835
00:36:38,740 --> 00:36:43,600
constructed in the 1500s you know so the
836
00:36:41,560 --> 00:36:45,880
idea of layered protection is not new
837
00:36:43,600 --> 00:36:47,500
this goes back 500 years but I mean if
838
00:36:45,880 --> 00:36:51,220
you think about when were the first
839
00:36:47,500 --> 00:36:53,530
castles with moats built the idea of you
840
00:36:51,220 --> 00:36:56,430
know layers of protection is thousands
841
00:36:53,530 --> 00:36:59,620
of years old and it's really a military
842
00:36:56,430 --> 00:37:01,930
construct it's a military strategy for
843
00:36:59,620 --> 00:37:03,460
warfare that we've applied to the
844
00:37:01,930 --> 00:37:06,578
network is that good or bad
845
00:37:03,460 --> 00:37:09,230
I don't know but
846
00:37:06,579 --> 00:37:11,030
this is a typical Network at least a
847
00:37:09,230 --> 00:37:12,589
couple years ago for one of my PCI
848
00:37:11,030 --> 00:37:14,240
customers that we're trying to go
849
00:37:12,589 --> 00:37:15,740
through the idea of segmentation because
850
00:37:14,240 --> 00:37:17,089
they knew if they could isolate the
851
00:37:15,740 --> 00:37:19,459
systems that had the credit card data
852
00:37:17,089 --> 00:37:21,440
they'd only have to follow the security
853
00:37:19,460 --> 00:37:23,329
rules for those systems and not worry
854
00:37:21,440 --> 00:37:28,220
about everything else which I personally
855
00:37:23,329 --> 00:37:30,290
think some bad idea but you know so this
856
00:37:28,220 --> 00:37:33,500
was the typical you know back-end data
857
00:37:30,290 --> 00:37:35,660
center operations office environment a
858
00:37:33,500 --> 00:37:38,569
couple versions of their retail location
859
00:37:35,660 --> 00:37:42,950
and the red circles were the the systems
860
00:37:38,569 --> 00:37:44,599
that were deemed to be housing or
861
00:37:42,950 --> 00:37:49,098
storing or processing credit card
862
00:37:44,599 --> 00:37:52,190
information that doesn't look a whole
863
00:37:49,099 --> 00:37:56,060
lot like that to me and that these days
864
00:37:52,190 --> 00:37:57,710
are now a lot of those environments are
865
00:37:56,060 --> 00:37:59,060
virtualized a lot of those environments
866
00:37:57,710 --> 00:38:00,890
are cloud-based a lot of the
867
00:37:59,060 --> 00:38:03,740
infrastructure is going to the cloud so
868
00:38:00,890 --> 00:38:07,250
this whole idea of layered protection I
869
00:38:03,740 --> 00:38:10,879
think it's maybe gone it's certainly
870
00:38:07,250 --> 00:38:13,040
hard to figure it out but I do agree
871
00:38:10,880 --> 00:38:17,290
that there's this idea of adding layers
872
00:38:13,040 --> 00:38:20,839
of security to your most sensitive data
873
00:38:17,290 --> 00:38:24,980
the way we were taught was for the
874
00:38:20,839 --> 00:38:27,109
security of some systems or some data it
875
00:38:24,980 --> 00:38:28,970
wasn't so much as the layers of
876
00:38:27,109 --> 00:38:31,940
protection so a bad guy could never get
877
00:38:28,970 --> 00:38:32,660
to it it was make it more trouble than
878
00:38:31,940 --> 00:38:36,170
it's worth
879
00:38:32,660 --> 00:38:38,328
you know make it more expensive for the
880
00:38:36,170 --> 00:38:42,680
bad guy and for us the bad guy was other
881
00:38:38,329 --> 00:38:44,089
nation states to to to bother was trying
882
00:38:42,680 --> 00:38:46,940
to get at this particular set of data
883
00:38:44,089 --> 00:38:49,279
this particular set of information we
884
00:38:46,940 --> 00:38:50,810
actually used to evaluate systems so
885
00:38:49,280 --> 00:38:52,579
they worked on the defensive side we
886
00:38:50,810 --> 00:38:55,279
would evaluate the security of systems
887
00:38:52,579 --> 00:38:57,230
based on the projected cost of what it
888
00:38:55,280 --> 00:38:58,310
would take to break the system because
889
00:38:57,230 --> 00:39:00,500
it's machine made so it's
890
00:38:58,310 --> 00:39:02,750
computationally feasible we would
891
00:39:00,500 --> 00:39:06,020
calculate the cost and compare that to
892
00:39:02,750 --> 00:39:08,510
the what used to be the GNP which is now
893
00:39:06,020 --> 00:39:11,390
usually the GDP which is how you measure
894
00:39:08,510 --> 00:39:13,520
the economic wealth of a country which
895
00:39:11,390 --> 00:39:17,810
again is another discussion used to be
896
00:39:13,520 --> 00:39:19,670
GNP we would calculate it as against a
897
00:39:17,810 --> 00:39:21,650
certain nation-states G
898
00:39:19,670 --> 00:39:23,960
NP and say are they going to spend that
899
00:39:21,650 --> 00:39:26,510
money much money to try to get to this
900
00:39:23,960 --> 00:39:28,430
data yes or no if the answer was no we
901
00:39:26,510 --> 00:39:30,710
were done move on was a necessarily
902
00:39:28,430 --> 00:39:32,720
perfect security it was more expensive
903
00:39:30,710 --> 00:39:36,160
than what it was worth and that was
904
00:39:32,720 --> 00:39:39,618
sometimes applying layers of security
905
00:39:36,160 --> 00:39:42,460
the biggest thing though is the upon
906
00:39:39,619 --> 00:39:45,410
reflection back to my beginning days of
907
00:39:42,460 --> 00:39:50,329
being involved in the government was as
908
00:39:45,410 --> 00:39:54,160
I looked back I realized when I went to
909
00:39:50,329 --> 00:39:57,680
work for this this research facility
910
00:39:54,160 --> 00:40:01,308
back in the 80s that there was this
911
00:39:57,680 --> 00:40:03,589
culture of security and while there was
912
00:40:01,309 --> 00:40:05,990
perimeter fences there was also other
913
00:40:03,589 --> 00:40:08,390
processes and things associated with the
914
00:40:05,990 --> 00:40:12,549
perimeter fencing you know like barbed
915
00:40:08,390 --> 00:40:16,250
wire like cameras like a roving guard
916
00:40:12,549 --> 00:40:18,259
the the front desk it seemed kind of
917
00:40:16,250 --> 00:40:20,210
silly at times but at various times over
918
00:40:18,260 --> 00:40:22,099
the years if there was a guard at the
919
00:40:20,210 --> 00:40:23,720
desk they were supposed to be looking at
920
00:40:22,099 --> 00:40:26,299
your picture badge and you know we would
921
00:40:23,720 --> 00:40:28,549
you know various facilities I work for
922
00:40:26,299 --> 00:40:30,410
we would occasionally try to get by with
923
00:40:28,549 --> 00:40:33,589
each other's badge to see if the guard
924
00:40:30,410 --> 00:40:35,750
was paying attention and sometimes it
925
00:40:33,589 --> 00:40:38,450
works and sometimes it didn't and more
926
00:40:35,750 --> 00:40:40,579
often it works so various times you have
927
00:40:38,450 --> 00:40:43,669
heightened security DEFCON three or four
928
00:40:40,579 --> 00:40:45,559
or five the guards were required to
929
00:40:43,670 --> 00:40:47,030
touch the badge to make sure that they
930
00:40:45,559 --> 00:40:48,430
were really touching it in hopes that
931
00:40:47,030 --> 00:40:50,900
they were looking at it more carefully
932
00:40:48,430 --> 00:40:52,490
but then the guards would get the I
933
00:40:50,900 --> 00:40:55,640
think they would rip them off a radio
934
00:40:52,490 --> 00:40:57,529
these telescoping antenna things wands
935
00:40:55,640 --> 00:40:59,420
pointers so they could reach out and
936
00:40:57,530 --> 00:41:01,549
touch the badge because they didn't want
937
00:40:59,420 --> 00:41:03,109
to move from their spot but there was
938
00:41:01,549 --> 00:41:05,059
also strategies employed where the
939
00:41:03,109 --> 00:41:07,520
guards were rotated all the time because
940
00:41:05,059 --> 00:41:09,530
they wanted to prevent somebody saying
941
00:41:07,520 --> 00:41:11,599
hey Joe come on in I've seen you every
942
00:41:09,530 --> 00:41:13,579
day for the last you know 16 years
943
00:41:11,599 --> 00:41:15,859
come on in not knowing you'd been fired
944
00:41:13,579 --> 00:41:18,140
the day before there were layers that
945
00:41:15,859 --> 00:41:20,150
our strategies there was processes with
946
00:41:18,140 --> 00:41:21,558
each step along the way you know
947
00:41:20,150 --> 00:41:23,839
changing the locks on the doors
948
00:41:21,559 --> 00:41:26,450
periodically making it a longer
949
00:41:23,839 --> 00:41:28,970
combination that type of thing having
950
00:41:26,450 --> 00:41:30,680
the guards roaming the halls everything
951
00:41:28,970 --> 00:41:32,149
was a culture of security but more
952
00:41:30,680 --> 00:41:33,129
important than all the processes
953
00:41:32,150 --> 00:41:36,279
imperson
954
00:41:33,130 --> 00:41:38,319
everybody understood the mission because
955
00:41:36,279 --> 00:41:41,470
the mission of the organization in and
956
00:41:38,319 --> 00:41:43,390
of itself was security which I grant you
957
00:41:41,470 --> 00:41:46,990
doesn't exist often in the commercial
958
00:41:43,390 --> 00:41:48,490
world but I think and I'm hopeful that
959
00:41:46,990 --> 00:41:50,410
it's something that can be taught and
960
00:41:48,490 --> 00:41:52,839
something that can be trained to more
961
00:41:50,410 --> 00:41:55,868
companies is to have this attitude this
962
00:41:52,839 --> 00:41:58,270
mindset of you know we're in business
963
00:41:55,869 --> 00:42:00,039
yes we sell women's clothing but we're
964
00:41:58,270 --> 00:42:02,619
selling women's clothing in a connected
965
00:42:00,039 --> 00:42:05,140
world and we deal in certain type of
966
00:42:02,619 --> 00:42:07,660
information between our company and our
967
00:42:05,140 --> 00:42:09,549
customers that has value and we need to
968
00:42:07,660 --> 00:42:11,529
understand that value and understand it
969
00:42:09,549 --> 00:42:14,859
needs to be protected and protected in a
970
00:42:11,529 --> 00:42:17,260
in a manner that's appropriate for
971
00:42:14,859 --> 00:42:19,779
whatever risk we want to take given the
972
00:42:17,260 --> 00:42:21,609
liabilities given the limitations given
973
00:42:19,779 --> 00:42:24,539
our you know our bottom line or budgets
974
00:42:21,609 --> 00:42:27,369
and so forth but you know more than just
975
00:42:24,539 --> 00:42:28,930
you know taking the 30 minute security
976
00:42:27,369 --> 00:42:30,910
awareness training course once a year
977
00:42:28,930 --> 00:42:32,950
and snickering at the stupid video that
978
00:42:30,910 --> 00:42:34,930
you watched as somebody you know went
979
00:42:32,950 --> 00:42:38,410
out and bought some new and then anybody
980
00:42:34,930 --> 00:42:40,328
produces these things I apologize I've
981
00:42:38,410 --> 00:42:41,558
had to I've had to evaluate a lot of
982
00:42:40,329 --> 00:42:44,289
these security awareness training
983
00:42:41,559 --> 00:42:47,950
courses over the year and I take them as
984
00:42:44,289 --> 00:42:50,049
often as possible and you know they just
985
00:42:47,950 --> 00:42:52,118
seem to be people that are like you know
986
00:42:50,049 --> 00:42:53,770
they're very much focused on the
987
00:42:52,119 --> 00:42:55,270
creativity this time we're going to do a
988
00:42:53,770 --> 00:42:56,950
video this time we're going to do
989
00:42:55,270 --> 00:42:58,779
pictures of Papa this time we're going
990
00:42:56,950 --> 00:43:00,848
to slide from the right and fly from the
991
00:42:58,779 --> 00:43:04,770
left rather than providing any type of
992
00:43:00,849 --> 00:43:11,470
meaningful content yes
993
00:43:04,770 --> 00:43:16,150
no actually we'll get to that we'll get
994
00:43:11,470 --> 00:43:17,980
to that hold up up building a culture of
995
00:43:16,150 --> 00:43:19,809
security having everybody in the company
996
00:43:17,980 --> 00:43:21,369
understand that security is important
997
00:43:19,809 --> 00:43:23,279
and what they do and what they don't do
998
00:43:21,369 --> 00:43:25,750
has something to do with security
999
00:43:23,279 --> 00:43:29,349
understanding the security is a life
1000
00:43:25,750 --> 00:43:31,960
cycle it's something that you do it's
1001
00:43:29,349 --> 00:43:34,299
not just a set and forget it's not plug
1002
00:43:31,960 --> 00:43:36,539
in a box and puts particular settings on
1003
00:43:34,299 --> 00:43:39,609
it and walk away and think you're done
1004
00:43:36,539 --> 00:43:41,410
this is a slide that I used 20 years ago
1005
00:43:39,609 --> 00:43:42,970
when I came out of the DoD trying to
1006
00:43:41,410 --> 00:43:44,740
teach companies in the commercial world
1007
00:43:42,970 --> 00:43:46,209
that there's this thing called security
1008
00:43:44,740 --> 00:43:48,640
and it's a life cycle and
1009
00:43:46,210 --> 00:43:51,040
processes involved and we used to talk
1010
00:43:48,640 --> 00:43:52,900
about these processes of course we were
1011
00:43:51,040 --> 00:43:54,670
trying to sell a pen test so we started
1012
00:43:52,900 --> 00:43:56,080
with the assessing where are you you've
1013
00:43:54,670 --> 00:43:58,510
just plugged into the internet that you
1014
00:43:56,080 --> 00:44:00,430
have this existing network let's find
1015
00:43:58,510 --> 00:44:02,710
all your holes let's figure out it was
1016
00:44:00,430 --> 00:44:04,359
really a vulnerability assessment and we
1017
00:44:02,710 --> 00:44:05,920
will talk about once we've discovered it
1018
00:44:04,359 --> 00:44:07,990
how do you fix it how do you close your
1019
00:44:05,920 --> 00:44:09,849
holes how do you implement programs and
1020
00:44:07,990 --> 00:44:12,160
policies and procedures so it all works
1021
00:44:09,849 --> 00:44:14,410
and you architect and implement these
1022
00:44:12,160 --> 00:44:16,180
solutions you put in firewalls and IDs
1023
00:44:14,410 --> 00:44:17,560
and whatever and then at some point
1024
00:44:16,180 --> 00:44:19,868
you've got to measure it and see how
1025
00:44:17,560 --> 00:44:22,779
well you're doing and then it's you know
1026
00:44:19,869 --> 00:44:24,670
lather rinse and repeat we used to talk
1027
00:44:22,780 --> 00:44:27,130
about this cycle in terms of like a
1028
00:44:24,670 --> 00:44:29,080
three to five year process this process
1029
00:44:27,130 --> 00:44:31,420
still exists every company is in the
1030
00:44:29,080 --> 00:44:33,848
midst of this process but the process
1031
00:44:31,420 --> 00:44:36,730
these days I think it's sometimes months
1032
00:44:33,849 --> 00:44:38,800
if not weeks if not days you know I
1033
00:44:36,730 --> 00:44:41,080
think of the next o day that comes out
1034
00:44:38,800 --> 00:44:42,670
and and how fast you need to be able to
1035
00:44:41,080 --> 00:44:44,710
respond to it and adapt to it
1036
00:44:42,670 --> 00:44:47,170
but companies for the most part in the
1037
00:44:44,710 --> 00:44:49,990
commercial world aren't cycled so thank
1038
00:44:47,170 --> 00:44:53,349
security there cycle to think money
1039
00:44:49,990 --> 00:44:55,359
revenue bottom line it's not part of the
1040
00:44:53,349 --> 00:45:00,070
culture it's not built into the fabric
1041
00:44:55,359 --> 00:45:01,920
of the company you know there's been
1042
00:45:00,070 --> 00:45:04,210
attempts by the government to put out
1043
00:45:01,920 --> 00:45:06,250
you know frameworks and various
1044
00:45:04,210 --> 00:45:08,250
standards the new cybersecurity
1045
00:45:06,250 --> 00:45:11,710
framework being one of the recent ones
1046
00:45:08,250 --> 00:45:13,060
notice that there's at least I see
1047
00:45:11,710 --> 00:45:14,800
there's a lot of similarities between
1048
00:45:13,060 --> 00:45:16,359
what they're putting out in terms of
1049
00:45:14,800 --> 00:45:19,150
sort of the major steps the major
1050
00:45:16,359 --> 00:45:22,270
processes and what we were talking about
1051
00:45:19,150 --> 00:45:24,970
20-25 years ago variations on a theme
1052
00:45:22,270 --> 00:45:27,190
but there's a process involved and
1053
00:45:24,970 --> 00:45:31,180
that's what is largely trying to be
1054
00:45:27,190 --> 00:45:33,070
taught you need to know where you are
1055
00:45:31,180 --> 00:45:34,960
you need to have policies and strategies
1056
00:45:33,070 --> 00:45:36,760
you need to have this culture of
1057
00:45:34,960 --> 00:45:39,430
security built in the companies and we
1058
00:45:36,760 --> 00:45:41,890
as practitioners it's not for our own
1059
00:45:39,430 --> 00:45:44,440
company if we're in a in a role where we
1060
00:45:41,890 --> 00:45:46,420
talk to other companies as customers we
1061
00:45:44,440 --> 00:45:48,250
need to teach this we need to we need to
1062
00:45:46,420 --> 00:45:50,410
hammer this home we need to build this
1063
00:45:48,250 --> 00:45:54,040
in because I think this is more than any
1064
00:45:50,410 --> 00:45:56,859
technical solution any strategy any any
1065
00:45:54,040 --> 00:45:59,140
new box or widget or blinky thing that
1066
00:45:56,859 --> 00:45:59,740
you put out there is what's really going
1067
00:45:59,140 --> 00:46:02,680
to make a diff
1068
00:45:59,740 --> 00:46:04,868
ultimately and I'm a dying breed and you
1069
00:46:02,680 --> 00:46:11,560
can disagree with me but that's sort of
1070
00:46:04,869 --> 00:46:14,140
my last my last stance the DoD and they
1071
00:46:11,560 --> 00:46:18,070
know what this is it's called the
1072
00:46:14,140 --> 00:46:21,879
rainbow Siri a very comprehensive series
1073
00:46:18,070 --> 00:46:24,580
of guides that were put out the first
1074
00:46:21,880 --> 00:46:27,160
one was the orange book which I think
1075
00:46:24,580 --> 00:46:31,420
was published in 83 which was how to
1076
00:46:27,160 --> 00:46:34,480
secure a computer on a network and very
1077
00:46:31,420 --> 00:46:36,040
detailed very granular every aspect
1078
00:46:34,480 --> 00:46:38,680
every pop thing you could possibly think
1079
00:46:36,040 --> 00:46:40,390
of everybody that used to have to deal
1080
00:46:38,680 --> 00:46:42,700
with it last because it was very
1081
00:46:40,390 --> 00:46:43,810
comprehensive but everybody conceded
1082
00:46:42,700 --> 00:46:45,490
nobody's ever going to be able to do
1083
00:46:43,810 --> 00:46:47,890
this because there's just too much here
1084
00:46:45,490 --> 00:46:49,509
and that's when it was just four or five
1085
00:46:47,890 --> 00:46:51,490
of them I don't even know what all of
1086
00:46:49,510 --> 00:46:54,460
those are but as new technologies
1087
00:46:51,490 --> 00:46:58,390
emerged another guide was produced so
1088
00:46:54,460 --> 00:47:00,000
the DoD gave us that but and I apologize
1089
00:46:58,390 --> 00:47:01,240
you can't see this I saw this on
1090
00:47:00,000 --> 00:47:03,520
LinkedIn
1091
00:47:01,240 --> 00:47:05,979
probably two months ago somebody mapped
1092
00:47:03,520 --> 00:47:08,350
it out you can find it if you google see
1093
00:47:05,980 --> 00:47:11,140
so mind map these are all the
1094
00:47:08,350 --> 00:47:13,118
disciplines sort of the major areas and
1095
00:47:11,140 --> 00:47:14,650
all the detailed things that a fifo is
1096
00:47:13,119 --> 00:47:16,000
supposed to know in order to be able to
1097
00:47:14,650 --> 00:47:18,340
do his job in today's modern
1098
00:47:16,000 --> 00:47:20,170
organization and I would submit to you
1099
00:47:18,340 --> 00:47:22,450
that all that fine print you can't
1100
00:47:20,170 --> 00:47:23,850
really read but if you google it later
1101
00:47:22,450 --> 00:47:26,859
you'll be able to find the details
1102
00:47:23,850 --> 00:47:29,319
probably 95% of those are tied to a
1103
00:47:26,859 --> 00:47:33,730
specific technology product which again
1104
00:47:29,320 --> 00:47:35,619
I think is missing the point when all
1105
00:47:33,730 --> 00:47:38,590
you do is know how to throw different
1106
00:47:35,619 --> 00:47:40,300
technology at this problem this is
1107
00:47:38,590 --> 00:47:42,340
another example that I saw somebody
1108
00:47:40,300 --> 00:47:44,950
attempted to come up with all the
1109
00:47:42,340 --> 00:47:46,780
different domains that there are and our
1110
00:47:44,950 --> 00:47:49,750
business and they try to group them and
1111
00:47:46,780 --> 00:47:51,730
organize them so you know the message
1112
00:47:49,750 --> 00:47:53,680
here is there's a lot to learn there's a
1113
00:47:51,730 --> 00:47:57,250
lot to know there's a lot of stuff going
1114
00:47:53,680 --> 00:47:59,470
on and yet if my belief is if you're
1115
00:47:57,250 --> 00:48:01,090
taking a completely technology centric
1116
00:47:59,470 --> 00:48:02,830
approach to all this and you're not
1117
00:48:01,090 --> 00:48:05,350
stepping into it with some sort of
1118
00:48:02,830 --> 00:48:06,670
overarching understanding of what you're
1119
00:48:05,350 --> 00:48:08,920
trying to do what you're trying to
1120
00:48:06,670 --> 00:48:11,680
accomplish you ultimately will lose
1121
00:48:08,920 --> 00:48:12,530
because I think we can agree we're never
1122
00:48:11,680 --> 00:48:14,720
going to protect there
1123
00:48:12,530 --> 00:48:16,160
we think I think we can agree we're
1124
00:48:14,720 --> 00:48:18,109
never going to drive the vulnerability
1125
00:48:16,160 --> 00:48:20,480
count down to zero there's always going
1126
00:48:18,110 --> 00:48:22,520
to be vulnerabilities out there so maybe
1127
00:48:20,480 --> 00:48:24,020
just maybe we should stop focusing on
1128
00:48:22,520 --> 00:48:25,220
the vulnerability it's not saying do
1129
00:48:24,020 --> 00:48:27,710
away with them not saying stop
1130
00:48:25,220 --> 00:48:29,810
addressing them as we find them out but
1131
00:48:27,710 --> 00:48:34,070
maybe we need to focus elsewhere too
1132
00:48:29,810 --> 00:48:36,410
like on the countermeasures you've
1133
00:48:34,070 --> 00:48:38,690
probably heard of this mantra in our
1134
00:48:36,410 --> 00:48:40,790
industry that security is really about
1135
00:48:38,690 --> 00:48:43,490
people processes and Technology is a
1136
00:48:40,790 --> 00:48:45,080
three-pronged approach I submit to you
1137
00:48:43,490 --> 00:48:48,529
that in terms of understanding the
1138
00:48:45,080 --> 00:48:50,900
culture that there's this idea of
1139
00:48:48,530 --> 00:48:53,480
purpose you know for the DoD it was the
1140
00:48:50,900 --> 00:48:55,490
mission to do security and while that's
1141
00:48:53,480 --> 00:48:57,710
not the mission of most companies in the
1142
00:48:55,490 --> 00:48:59,120
commercial world it needs to be a part
1143
00:48:57,710 --> 00:49:02,450
of the mission it needs to be understood
1144
00:48:59,120 --> 00:49:05,210
that the security is part of we sell
1145
00:49:02,450 --> 00:49:08,450
shoes it's security is a part of we sell
1146
00:49:05,210 --> 00:49:10,940
hammers inappropriate part not overboard
1147
00:49:08,450 --> 00:49:14,419
not overdone but there is an appropriate
1148
00:49:10,940 --> 00:49:16,580
way to approach that so keep in mind
1149
00:49:14,420 --> 00:49:18,080
it's all about the information is all
1150
00:49:16,580 --> 00:49:20,990
about the data with few exceptions
1151
00:49:18,080 --> 00:49:23,630
that's still true today it always will
1152
00:49:20,990 --> 00:49:24,319
be technology I don't believe is the
1153
00:49:23,630 --> 00:49:26,030
solution
1154
00:49:24,320 --> 00:49:28,370
I think technology's really the problem
1155
00:49:26,030 --> 00:49:30,860
I think we're losing ground frankly the
1156
00:49:28,370 --> 00:49:32,390
way technology is advanced and the more
1157
00:49:30,860 --> 00:49:34,820
we don't have the foundational
1158
00:49:32,390 --> 00:49:37,220
principles and processes built in the
1159
00:49:34,820 --> 00:49:38,600
the further behind we get whether we're
1160
00:49:37,220 --> 00:49:41,720
organizations whether we're
1161
00:49:38,600 --> 00:49:43,730
practitioners remember security is not
1162
00:49:41,720 --> 00:49:44,419
some place that you get to it's a
1163
00:49:43,730 --> 00:49:46,640
lifestyle
1164
00:49:44,420 --> 00:49:50,570
I say it's a verb it's something you do
1165
00:49:46,640 --> 00:49:53,120
and I think you can hold me to it but I
1166
00:49:50,570 --> 00:49:57,020
didn't say that word once did I in this
1167
00:49:53,120 --> 00:50:00,890
presentation knowledge and awareness is
1168
00:49:57,020 --> 00:50:02,300
key so to answer your question just a
1169
00:50:00,890 --> 00:50:04,940
quick word about the company that's
1170
00:50:02,300 --> 00:50:06,380
sponsoring the company called cyber arey
1171
00:50:04,940 --> 00:50:08,060
they've been around for about a year and
1172
00:50:06,380 --> 00:50:10,970
a half now they are dedicated to
1173
00:50:08,060 --> 00:50:13,040
providing open source learning and
1174
00:50:10,970 --> 00:50:16,669
training in the area of information
1175
00:50:13,040 --> 00:50:18,529
security you can sign up for free you
1176
00:50:16,670 --> 00:50:20,600
can take hours and hours of free
1177
00:50:18,530 --> 00:50:23,660
training there's lots of
1178
00:50:20,600 --> 00:50:25,460
pre-certification things you can do they
1179
00:50:23,660 --> 00:50:26,180
have things that you do pay for like
1180
00:50:25,460 --> 00:50:28,760
various
1181
00:50:26,180 --> 00:50:30,379
and detailed stuff that I think for at a
1182
00:50:28,760 --> 00:50:32,630
personal level it's like maybe nine
1183
00:50:30,380 --> 00:50:35,109
dollars a month you know something
1184
00:50:32,630 --> 00:50:39,770
something around $100 a year you can get
1185
00:50:35,109 --> 00:50:42,589
lots and lots of training they have they
1186
00:50:39,770 --> 00:50:44,809
just celebrated last week hitting the
1187
00:50:42,589 --> 00:50:46,788
million subscriber mark so they've got a
1188
00:50:44,809 --> 00:50:49,250
million people that are signed up taking
1189
00:50:46,789 --> 00:50:51,260
pre training you know going all the way
1190
00:50:49,250 --> 00:50:53,029
back to the beginning you know when I
1191
00:50:51,260 --> 00:50:55,640
said this talk was dedicated to my
1192
00:50:53,029 --> 00:50:59,240
mentor Becky dates those of us that are
1193
00:50:55,640 --> 00:51:01,368
commands we sort of agreed that you know
1194
00:50:59,240 --> 00:51:03,500
trying to back fill the void that is
1195
00:51:01,369 --> 00:51:05,450
left with the passing and Becky base
1196
00:51:03,500 --> 00:51:07,760
it's very difficult but all of us need
1197
00:51:05,450 --> 00:51:09,490
to do our part so you know we that are
1198
00:51:07,760 --> 00:51:12,200
sort of the old-timers and the
1199
00:51:09,490 --> 00:51:14,660
gatekeepers of all this institutional
1200
00:51:12,200 --> 00:51:16,609
knowledge we're committed to sharing
1201
00:51:14,660 --> 00:51:18,890
that knowledge with the community as
1202
00:51:16,609 --> 00:51:21,500
much as possible it's one of the reasons
1203
00:51:18,890 --> 00:51:24,078
why I come out and speak I've got a head
1204
00:51:21,500 --> 00:51:25,880
full of sometimes my wife thinks useless
1205
00:51:24,079 --> 00:51:28,339
knowledge but I want to share it with
1206
00:51:25,880 --> 00:51:30,710
you because security is this this huge
1207
00:51:28,339 --> 00:51:33,380
nebulous thing that needs to be
1208
00:51:30,710 --> 00:51:34,819
understood beyond all the fun technology
1209
00:51:33,380 --> 00:51:38,210
things that we do and all the fun
1210
00:51:34,819 --> 00:51:39,619
hacking things we do and I'm convinced
1211
00:51:38,210 --> 00:51:41,510
more than anything at the end of the
1212
00:51:39,619 --> 00:51:44,690
week at the end of the day at the end of
1213
00:51:41,510 --> 00:51:45,799
our existence knowledge is the only way
1214
00:51:44,690 --> 00:51:48,319
that we're ever going to really advance
1215
00:51:45,799 --> 00:51:50,569
this thing forward so to answer your
1216
00:51:48,319 --> 00:51:53,930
question has I seen great training good
1217
00:51:50,569 --> 00:51:56,779
training hmm look there you might find
1218
00:51:53,930 --> 00:51:58,520
something that's pretty decent in fact
1219
00:51:56,779 --> 00:52:01,460
I've got a course up there that was put
1220
00:51:58,520 --> 00:52:03,799
up there I teach a course at cyber a on
1221
00:52:01,460 --> 00:52:06,049
effective communication skill because
1222
00:52:03,799 --> 00:52:07,940
I've heard a lot of people at these cons
1223
00:52:06,049 --> 00:52:09,890
over the years talking about knowing all
1224
00:52:07,940 --> 00:52:11,539
the answers and I keep thinking if you
1225
00:52:09,890 --> 00:52:13,910
know the answer and you're working for a
1226
00:52:11,539 --> 00:52:15,349
company that's got an issue and you're
1227
00:52:13,910 --> 00:52:18,288
not getting the point across to them
1228
00:52:15,349 --> 00:52:19,880
maybe you're the problem and maybe the
1229
00:52:18,289 --> 00:52:22,819
problem is you're not communicating it
1230
00:52:19,880 --> 00:52:24,410
well so I took my 20 years of consulting
1231
00:52:22,819 --> 00:52:26,690
knowledge and wrapped it into a course
1232
00:52:24,410 --> 00:52:29,390
that's hopefully a little bit humorous I
1233
00:52:26,690 --> 00:52:30,799
got to wear my Jedi Master costume for
1234
00:52:29,390 --> 00:52:32,390
the whole thing they thought it was cool
1235
00:52:30,799 --> 00:52:33,170
I didn't think I'd get away with it but
1236
00:52:32,390 --> 00:52:35,690
they let me do it
1237
00:52:33,170 --> 00:52:36,750
so if nothing else go check out my
1238
00:52:35,690 --> 00:52:38,880
course
1239
00:52:36,750 --> 00:52:40,680
I have no idea what we're doing on time
1240
00:52:38,880 --> 00:52:43,490
but is there time for questions or
1241
00:52:40,680 --> 00:52:50,240
comments as I see people walking in
1242
00:52:43,490 --> 00:52:55,620
comments questions pushback yes yes I
1243
00:52:50,240 --> 00:53:05,160
can try you want the first one or the
1244
00:52:55,620 --> 00:53:08,339
second one good it's very good great
1245
00:53:05,160 --> 00:53:11,940
question a layer that I didn't add for
1246
00:53:08,340 --> 00:53:13,890
simplicity's sake but yeah basically
1247
00:53:11,940 --> 00:53:17,700
when I was taught risk equation in the
1248
00:53:13,890 --> 00:53:20,190
DoD it was there was always two versions
1249
00:53:17,700 --> 00:53:23,069
considered one was the likelihood that
1250
00:53:20,190 --> 00:53:27,270
something was going to be attacked so
1251
00:53:23,070 --> 00:53:29,130
the likelihood of compromise and the
1252
00:53:27,270 --> 00:53:31,470
second was the likelihood of success if
1253
00:53:29,130 --> 00:53:33,720
somebody were to try to you know do
1254
00:53:31,470 --> 00:53:35,160
something to this what would what what's
1255
00:53:33,720 --> 00:53:37,560
the likelihood that they would succeed
1256
00:53:35,160 --> 00:53:39,270
so you know when we were trying to map
1257
00:53:37,560 --> 00:53:40,860
this out and you know I could I could
1258
00:53:39,270 --> 00:53:42,750
geek out and probably do it maybe I will
1259
00:53:40,860 --> 00:53:45,510
do a talk on the risk equation someday
1260
00:53:42,750 --> 00:53:48,030
but we kind of mapped it out in a
1261
00:53:45,510 --> 00:53:49,680
Foursquare which I kind of refused to do
1262
00:53:48,030 --> 00:53:53,160
because there's a certain company that I
1263
00:53:49,680 --> 00:53:57,660
don't like the misuses for squares we
1264
00:53:53,160 --> 00:53:59,430
won't get into that so yeah it risk risk
1265
00:53:57,660 --> 00:54:01,020
can be very complicated and it's very
1266
00:53:59,430 --> 00:54:03,990
nebulous but when you're talking to
1267
00:54:01,020 --> 00:54:05,430
c-level people with an organization and
1268
00:54:03,990 --> 00:54:06,629
you start talking dollars and cents
1269
00:54:05,430 --> 00:54:09,060
that's usually when they can start
1270
00:54:06,630 --> 00:54:10,740
paying attention so I just you know one
1271
00:54:09,060 --> 00:54:12,750
of my Jedi mind trick is to just
1272
00:54:10,740 --> 00:54:15,299
simplify you know break it down because
1273
00:54:12,750 --> 00:54:17,190
a lot of people get caught up in the
1274
00:54:15,300 --> 00:54:19,560
minutiae in details and most people
1275
00:54:17,190 --> 00:54:22,770
don't understand don't care just what's
1276
00:54:19,560 --> 00:54:24,980
the bottom line any other questions or
1277
00:54:22,770 --> 00:54:24,980
comments
1278
00:54:54,580 --> 00:54:58,340
so the question for the recording is you
1279
00:54:57,170 --> 00:54:59,960
know there's something in the news this
1280
00:54:58,340 --> 00:55:02,000
week with NATO talking about
1281
00:54:59,960 --> 00:55:03,590
anti-submarine warfare that that's back
1282
00:55:02,000 --> 00:55:07,100
in the news again
1283
00:55:03,590 --> 00:55:09,590
submarines carry nukes so that's I'm not
1284
00:55:07,100 --> 00:55:11,990
familiar with the details but my guess
1285
00:55:09,590 --> 00:55:14,470
is it's because some submarines carrying
1286
00:55:11,990 --> 00:55:16,430
nukes that they're in the news again
1287
00:55:14,470 --> 00:55:20,169
with the people in the room I'm thinking
1288
00:55:16,430 --> 00:55:24,910
my time is up so thank you everyone and
1289
00:55:20,170 --> 00:55:27,950
enjoy your conference as long as well
1290
00:55:24,910 --> 00:55:29,600
and I've got stickers if you want them
1291
00:55:27,950 --> 00:55:31,520
I've got some strawberry stickers and
1292
00:55:29,600 --> 00:55:33,910
some security weekly hack naked stickers
1293
00:55:31,520 --> 00:55:33,910
up here