Post on 02-Oct-2020
Stu HirstPhotobox
War Stories - From The
Front Lines Of InfoSec!
@stuhirstinfosec
Disclaimers;
• I like memes.
• I don’t take myself too seriously.
• Some of these stories may or
may not have happened….
@stuhirstinfosec
Who Am I?
@stuhirstinfosec
•Public Speaker
•Run Security Scotland
Meet Up
•Run the AWS Security
Slack Forum
•Regular LinkedIn ‘Brain
Farter’
@stuhirstinfosec
The most difficult part of
security incidents is that we
don’t know what we don’t know!
(and we often rely on people telling us!)
@stuhirstinfosec
INCIDENT NUMBER ONE
@stuhirstinfosec
For legal
reasons, I can’t tell you….
@stuhirstinfosec
@stuhirstinfosec
Boogle BadWords -Compromised Passwords
Impact: £30,000 of account spendAttack vector: hack
What Happened/What Did We Do….
@stuhirstinfosec
Lessons Learned!•2FA all the things!•Use a password manager!
•Don’t trust 3rd parties, even boogle!
@stuhirstinfosec
INCIDENT NUMBER TWO
@stuhirstinfosec
Open AWS ElasticSearch ClusterImpact: outage
Attack vector: ransomware
What Happened/What Did We Do….
@stuhirstinfosec
@stuhirstinfosec
Open AWS S3 Buckets are
one of the easiest hacks to do….
… you just need to find them!
@stuhirstinfosec
Lessons Learned!•Don’t make anything in AWS publicly
accessible by default!
•Alert on S3 open to the world!
•Automate, automate, automate!
@stuhirstinfosec
INCIDENT NUMBER THREE
@stuhirstinfosec
Phishing email with macro in Word docImpact: minimal
Attack vector: Phishing
What Happened/What Did We Do….
@stuhirstinfosec
Lessons Learned!•Don’t jump to conclusions!
•Allow yourself time to make decisions!
•Educate, train and test!
@stuhirstinfosec
INCIDENT NUMBER FOUR
@stuhirstinfosec
Two mySQL databases with default creds
Impact: thousands in bug bounty paymentAttack vector: hack
What Happened/What Did We Do….
@stuhirstinfosec
Lessons Learned!•Be careful who you get to carry
out work for you!
•Lock down your data, all of it!
@stuhirstinfosec
INCIDENT NUMBER FIVE
@stuhirstinfosec
The Mystery Chinese ‘Bots’
Impact: hours of investigation!
Attack vector: none?!
What Happened/What Did We Do….
@stuhirstinfosec
Lessons Learned!•Understand when an incident has
reached a conclusion!
•Focus on what you CAN protect, not on what you CAN’T
@stuhirstinfosec
INCIDENT NUMBER SIX
@stuhirstinfosec
The Public Wi-fi Password!
Impact: unknown
Attack vector: hack
What Happened/What Did We Do….
@stuhirstinfosec
Lessons Learned!•Check your office space before
events!
•Employ a healthy dose of paranoia!
@stuhirstinfosec
INCIDENT NUMBER SEVEN
@stuhirstinfosec
The Trump Balloon
Impact: Twitter craziness!
Attack vector: unknown
What
Happened/What Did We Do….
@stuhirstinfosec
Lessons Learned!•Don’t trust what you read on Twitter!
•Be careful with what you say on social media!
•Protect your personal accounts - you’re easy to find!
@stuhirstinfosec
INCIDENT NUMBER EIGHT
@stuhirstinfosec
Wannacry
Impact: A month of pain!
Attack vector: malware
What
Happened/What Did We Do….
@stuhirstinfosec
Where were we when Wannacry first kicked off?
@stuhirstinfosec
Where was I for the week after it kicked off?
@stuhirstinfosec
Lessons Learned!•Don’t take holidays!
•Be prepared to change your view on something, quickly!
@stuhirstinfosec
INCIDENT NUMBER NINE
@stuhirstinfosec
The p*ssed-off leaver!Impact: £20k a week!
Attack vector:
insider/rogue employee
What
Happened/What Did We Do….
@stuhirstinfosec
1.84 days to spot2.£20k a week cost3.Nearly 50 failures in process
@stuhirstinfosec
Lessons Learned!•Not everyone leaves ‘happy’
•If you’re a manager, ensure accesses have been removed!
@stuhirstinfosec
SOME OF THE MORE
LIGHT HEARTED INCIDENTS!!!
@stuhirstinfosec
@stuhirstinfosec
And to leave you with….
Toilet humour….
@stuhirstinfosec
@stuhirstinfosec
Lessons Learned!•Don’t take your laptop into the
toilet!
•Stickers help!
@stuhirstinfosec
Thank you!
We’re recruiting!
Twitter; stuhirstinfosec
Q&A