Stu HirstPhotobox

War Stories - From The

Front Lines Of InfoSec!

@stuhirstinfosec

Disclaimers;

• I like memes.

• I don’t take myself too seriously.

• Some of these stories may or

may not have happened….

@stuhirstinfosec

Who Am I?

@stuhirstinfosec

•Public Speaker

•Run Security Scotland

Meet Up

•Run the AWS Security

Slack Forum

•Regular LinkedIn ‘Brain

Farter’

@stuhirstinfosec

The most difficult part of

security incidents is that we

don’t know what we don’t know!

(and we often rely on people telling us!)

@stuhirstinfosec

INCIDENT NUMBER ONE

@stuhirstinfosec

For legal

reasons, I can’t tell you….

@stuhirstinfosec

@stuhirstinfosec

Boogle BadWords -Compromised Passwords

Impact: £30,000 of account spendAttack vector: hack

What Happened/What Did We Do….

@stuhirstinfosec

Lessons Learned!•2FA all the things!•Use a password manager!

•Don’t trust 3rd parties, even boogle!

@stuhirstinfosec

INCIDENT NUMBER TWO

@stuhirstinfosec

Open AWS ElasticSearch ClusterImpact: outage

Attack vector: ransomware

What Happened/What Did We Do….

@stuhirstinfosec

@stuhirstinfosec

Open AWS S3 Buckets are

one of the easiest hacks to do….

… you just need to find them!

@stuhirstinfosec

Lessons Learned!•Don’t make anything in AWS publicly

accessible by default!

•Alert on S3 open to the world!

•Automate, automate, automate!

@stuhirstinfosec

INCIDENT NUMBER THREE

@stuhirstinfosec

Phishing email with macro in Word docImpact: minimal

Attack vector: Phishing

What Happened/What Did We Do….

@stuhirstinfosec

Lessons Learned!•Don’t jump to conclusions!

•Allow yourself time to make decisions!

•Educate, train and test!

@stuhirstinfosec

INCIDENT NUMBER FOUR

@stuhirstinfosec

Two mySQL databases with default creds

Impact: thousands in bug bounty paymentAttack vector: hack

What Happened/What Did We Do….

@stuhirstinfosec

Lessons Learned!•Be careful who you get to carry

out work for you!

•Lock down your data, all of it!

@stuhirstinfosec

INCIDENT NUMBER FIVE

@stuhirstinfosec

The Mystery Chinese ‘Bots’

Impact: hours of investigation!

Attack vector: none?!

What Happened/What Did We Do….

@stuhirstinfosec

Lessons Learned!•Understand when an incident has

reached a conclusion!

•Focus on what you CAN protect, not on what you CAN’T

@stuhirstinfosec

INCIDENT NUMBER SIX

@stuhirstinfosec

The Public Wi-fi Password!

Impact: unknown

Attack vector: hack

What Happened/What Did We Do….

@stuhirstinfosec

Lessons Learned!•Check your office space before

events!

•Employ a healthy dose of paranoia!

@stuhirstinfosec

INCIDENT NUMBER SEVEN

@stuhirstinfosec

The Trump Balloon

Impact: Twitter craziness!

Attack vector: unknown

What

Happened/What Did We Do….

@stuhirstinfosec

Lessons Learned!•Don’t trust what you read on Twitter!

•Be careful with what you say on social media!

•Protect your personal accounts - you’re easy to find!

@stuhirstinfosec

INCIDENT NUMBER EIGHT

@stuhirstinfosec

Wannacry

Impact: A month of pain!

Attack vector: malware

What

Happened/What Did We Do….

@stuhirstinfosec

Where were we when Wannacry first kicked off?

@stuhirstinfosec

Where was I for the week after it kicked off?

@stuhirstinfosec

Lessons Learned!•Don’t take holidays!

•Be prepared to change your view on something, quickly!

@stuhirstinfosec

INCIDENT NUMBER NINE

@stuhirstinfosec

The p*ssed-off leaver!Impact: £20k a week!

Attack vector:

insider/rogue employee

What

Happened/What Did We Do….

@stuhirstinfosec

1.84 days to spot2.£20k a week cost3.Nearly 50 failures in process

@stuhirstinfosec

Lessons Learned!•Not everyone leaves ‘happy’

•If you’re a manager, ensure accesses have been removed!

@stuhirstinfosec

SOME OF THE MORE

LIGHT HEARTED INCIDENTS!!!

@stuhirstinfosec

@stuhirstinfosec

And to leave you with….

Toilet humour….

@stuhirstinfosec

@stuhirstinfosec

Lessons Learned!•Don’t take your laptop into the

toilet!

•Stickers help!

@stuhirstinfosec

Thank you!

We’re recruiting!

Twitter; stuhirstinfosec

Q&A