44CON 2013 - Security Lessons from Dictators - Jerry Gamblin

Security Lessons from Dictators

#44Con September 12 th 2013

About me

Jerry GamblinSecurity SpecialistMissouri House Of Representatives

Contact Information:Jerry.Gamblin@gmail.com @jgamblinwww.jerrygamblin.com

About this talk

History does not repeat itself, but it does rhyme.

- Mark Twain

Security Lessons from Dictators

Insider Threats

Et tu, Brute?

GaiusJuliusCaesarDictator Perpetuo of The Roman Empire

Marcus Junius Brutus49 BC: Fought with Pompey to Greece during the civil war against Caesar.

48 BC: Pardoned by Caesar.

46 BC: Made governor of Gaul.

45 BC: Made Praetor.

44 BC: Murdered Caesar

How does your company defend against insider threats?

Insider Threats

You can not detect and defend from insider threats from behind your keyboard.

Insider Threats

Insider threats are not a technical issue alone.

Insider Threats

People who steal your unprotected information are not hackers.

Edward Snowden2004: Enlisted in the United States Army as a Special Forces recruit.

2005: Security Guard for the National Security Agency

2007: Network Administrator for the State Department

2011: Worked for NSA in Japan.

2012: Contractor for Booze Allen Hamilton.

2013: Leaked NSA surveillance programs to the press.

Could you have identified and stopped Edward Snowden on your network?

Incident Response

Executing of the Duke of Enghien.

Napoleon BonaparteEmperor of France

Louis AntoineDuke of Enghien• Only son of Louis Henri de Bourbon.

• Given the title Duke of Enghien at birth.

• Military school at Commodore de Vinieux.

• Fought in the French Revolutionary Wars against France.

• Married Charlotte de Rohan.

• Arrested for allegedly being part of the Cadoudal–Pichegru conspiracy

Incident Response

C'est pire qu'un crime, c'est une faute

How does your incident response plan look in real life?

How can security professionals handle investigations better?

Hacking Back

Suspending habeas corpus.

Abraham Lincoln 16th President of the United States of America

Hacking Back

You are engaged in repressing an insurrection against the laws of the United States. If at any point on or in the vicinity of any military line which is now or which shall be used between the city of Philadelphia and the city of Washington you find [resistance] which renders it necessary to suspend the writ of habeas corpus for the public safety, you personally or through the officer in command at the point where resistance occurs are authorized to suspend that writ.

Lincoln to General Winfield Scott on April 27, 1861

Article 1. Section 9.of the United States Constitution

The privilege of the writ of habeas corpus shall not be suspended (by congress), unless when in cases of rebellion or invasion the public safety may require it.

Ex parte Merryman

Such is the case now before me, and I can only say that if the authority which the constitution has confided to the judiciary can be usurped by the President the people of the United States are no longer living under a government of laws.

Jon HuntsmanCommission onTheft of American Intellectual Property

Without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information.

We'd politely remind them there's a federal criminal statute barring that.

Justice Department's Computer Crime and Intellectual Property Section.

What do you think the future of hacking back (active defense) is?

Advanced Tools Over Proven Techniques

Next Generation Everything!!!!!

I am getting ready to use Adolf Hitler and WWII to make a point about network security. I am not trying to be flippant or disrespectful in the slightest and I understand the extreme cost of war.

Adolf HitlerFührer of Germany

WunderwaffeSturmgewehr 44 - The first assault rifle

Horten Ho 229 - A turbojet flying wing stealth jet fighter/bomber

Flettner Fl 265 - The world's earliest known airworthy synchropter

Schwerer Gustav - An 800mm railway gun

V2 - First human-made object to achieve sub-orbital spaceflight

It has been argued that Germany lost WWII by picking advanced tools over proven techniques…

… just like IT security.

Highly Trained Staff Everyone has a CISSP!

Patch Management System

Next Generation Firewall

Shiny SIEM

New Security Policy Guidelines

No End User Training Unless mandated

End Users Have Admin Rights.

No Auditing of Web Apps.

No one actually checks logs.

Shadow IT has taken over.

Why do security professionals have such a hard time getting the basics right?

Poor Security Awareness Training

USB Drives Don’t Grown In The Desert

Grand Ayatollah SeyedAli Hosseini KhameneiSupreme Leader of Iran

Nuclear Program of Iran

• 1957: The United States and Iran sign a civil nuclear co-operation agreement as part of the U.S. Atoms for Peace program.

• 1968: Iran signs the Nuclear Non-Proliferation Treaty and ratifies it.

• 1979: Iran's Islamic revolution puts a freeze on the existing nuclear program.

• 1982: Iranian officials announced that they planned to build a reactor powered by their own uranium at the Isfahan Nuclear Technology Centre.

• 1995: Iran signs an $800 million contract with the Russian Ministry of Atomic Energy in Busheh.

• 2002: The United States accuses Iran of attempting to make nuclear weapons.

• 2004: Iran removes seals placed upon uranium centrifuges by the International Atomic Energy Agency and resumes construction of the centrifuges at Natanz.

Iranian Nuclear Scientist Killed• Masoud Alimohammadi

• January 12, 2010

• Majid Shahriari

• November 29, 2010

• Fereydoon Abbasi

• November 29, 2010

• Darioush Rezaeinejad

• July 23, 2011

• Mostafa Ahmadi-Roshan

• January 11, 2012

Stuxnet• Computer worm discovered in June 2010

• Written by the US and Israel to attack Iran's nuclear facilities

• Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.

• It is initially spread using USB flash drives.

Bruce Schneier

I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere.

What are your thoughts on security awareness programs?

Misplaced Priorities

Kim Jong-un• First Secretary of the Workers' Party of

Korea

• First Chairman of the National Defense Commission of North Korea

• Commander of the Korean People's Army

North Korean Nuclear ProgramPhase I (1956–80) Start of North Korea’s domestic plutonium production program.

Phase II (1980–94) Growth of North Korea’s domestic plutonium production program.

Phase III (1994–2002) covers the period of the "nuclear freeze".

Phase IV (2002–present) Renewed nuclear activities and tests.

What does your priority list look like for your security program?

Questions?

Contact Info

Jerry GamblinSecurity SpecialistMissouri House Of Representatives

Contact Information:Jerry.Gamblin@gmail.com @jgamblinwww.jerrygamblin.com

Thank You

Richard Clarke

“If you spend more on printer ink than on IT security, you will be hacked. What's more, you deserve to be hacked."