Author's note:
This is a highly truncated version of this article due to Dev.to not allowing you to list more than 8 people in an article. Please visit the original article to read the full story.
When you think of Milwaukee, you might think of squeaky cheese curds, polka music, and the Bronze Fonz. But now I will always associate this city on the lake with cybersecurity, thanks to Cyphercon 6, which was held on March 30 and 31, 2023. This year there were nearly 1500 participants, making it the largest security or technology conference in Wisconsin.
Cyphercon is a 'hacker conference' much like Schmoocon or DEFCON. While there are sessions, the event also focuses on villages and capture-the-flag competitions. Unique among conferences I have attended, the first day started after lunch and ran until 10:30pm, when the networking after-party officially started.
There was so much knowledge shared by all the enthusiastic participants that it would be impossible to try and cover it all. Here are just a few highlights from the two-day event.
The Importance Of Security Training
Throughout almost every session, the speakers touched on the importance of training. According to some studies, 88% of all breaches are the result of human error; getting your team trained is not an option. Multiple presenters made the point that we can't just 'blame the user,' who might have only had a 5-minute overview during their orientation when they were brand new.
While ideally, you could get the executive team or non-technical staff to go to an event like Cyphercon to get some deeper exposure to cybersecurity; realistically, we need to come up with ways of making training more engaging and impactful.
In his talk "Executives: Overcoming the CyberSecurity Poverty Line," Robert Wagner said he sees teams and executives making the same mistakes over and over. He cited the fact that 45% of employees receive no security training at all from their employer. Training must become an essential part of risk management strategy.
Beyond just providing minimal training, organizations need to embrace a culture of learning, meaning ideally, team members should be continually learning and teaching each other new skills. Management should see training as an ongoing process and not just a box to check. He said great managers know if they can make learning fun and supportive, then they can create armies of security experts. The exact right balance is to "train them so well they could leave for another position but treat them so well that they want to stay!"
Another mistake is using security training as a punishment. Negative reinforcement will drive people to hide their behavior or, worse yet, breed resentment among coworkers who they fear might turn them in. We need to create a healthy security culture where it is clear that it is OK to ask for help and where everyone feels valued as a member of the security team, no matter what their title. He suggests combining security training with contests to see who can spot the most threats. Another example was to incentivize and celebrate people for sharing screenshots of phishing attempts.
If you need some ideas for building a training program, Robert shared some free cybersecurity basics training that you can use with your team.
Amazon's Cybersecurity Awareness Training - They use this same course internally at Amazon.
EdApp Free Cybersecurity Training - A mobile-based training series.
The name of Robert's session comes from Wendy Nather's research, where she defined the Cybersecurity Poverty Line as the threshold that divides all organizations into two distinct categories: those that are able to implement essential measures well and those that are unable.
Fantastic talk from @Mr_Minion at #CypherCon
"Executives: Overcoming the CyberSecurity Poverty Line"
Everything comes down to negotiation, good executives know how to deal with the balancing act that security requires.
@CypherCon22:11 PM - 30 Mar 2023
Email Threats
While folks in the cybersecurity world tend to focus on technical threats, including the software supply chain and malicious actors finding our credentials and installing ransomware, the majority of breaches involve a human being clicking on something they should not in an email. Teaching employees what to look for is a great step towards a more secure enterprise.
In his talk "You've Got Mail (and Misdirected Funds): A Demo of Business Email Compromise," Drew Hjelm walked us through a Business Email Compromise, BEC. It started with a user clicking on a suspicious email link, asking them to review a PDF. Instead of logging into the real site, they add their credentials, including MFA token, to the very real-looking phishing site.
The attacker then had access to the session token, which was then used to get access to the victim's Microsoft365 account. Once inside, the attacker finds a recent unpaid invoice, copies the format, and emails the victim an 'updated' invoice and implements some rules to make sure the bad emails are not flagged as junk and the legitimate emails from the original invoice are never seen.
While this is an all too common scenario, Drew said BEC incidents extend beyond the email inbox. He noted that Electron, which is the tech behind Slack, Teams, and Discord, can just as easily be compromised if an attacker finds the right URL containing an access token, similar attacks can be executed.
While education on how to spot a phishing attempt and what not to click on is a needed step toward better security, organizations also need to have some protections in place. Implementing conditional access, looking for things like unexpected IP addresses, or setting up domain impersonation protection rules can make it harder for attackers to succeed. Monitoring for suspicious activity such as mail rule changes can also help prevent BEC from succeeding.
This is one of the most useful talks I have been to at #CypherCon @DrewHjelm presenting "You’ve Got Mail (and Misdirected Funds): A Demo of Business Email Compromise"
$2.5B in play over the last few years.
It is not sexy, but it is a MAJOR threat to enterprises.
@CypherCon17:07 PM - 31 Mar 2023
Drew's points were reinforced by Joe Cicero in his talk "Dragons Can Fly." The name comes from the fact you can build fortified strongholds that can guard against armies of invaders, but dragons can just fly over our walls. In the real world, internal actors invite threats in, over the walls, by falling for phishing scams: the number one way ransomware ends up in systems.
Joe went on to say that training must be a continual process, even if it is highly effective. Even if the training content is excellent, the employee base for any organization will not be stable. Using some basic back-of-envelope math, he showed that a company with 5000 employees, who experience a turnover of 0.5% a month, means they are losing around 300 people per year. Those people will most likely be replaced, plus any hiring for growth the company does can mean many hundreds of new people to train every year.
To make training even more of a challenge, we need to deal with the constantly evolving threat landscape. The main 'new' issue he brought up that he is facing in his company was 'domain rental.' One of the ways to check if a website is legitimate is to see how long the domain has existed. Very new sites are less trustworthy, and you can filter for this across your networks. But did you know that for a few hundred dollars per month, you can rent existing domains that are years old and already categorized as 'safe' by most tools and launch attacks from there? This makes it much harder to prevent employees from seeing or clicking on suspicious links.
The best way to be safe is to turn your whole team into what Robert Wagner described as 'carbon-based intrusion detection systems' through empowering security training.
Very entertaining and informative talk about phishing from Joe Cicero at #CypherCon
"Dragons Can Fly"
@CypherCon20:06 PM - 31 Mar 2023
A Security Community Experience
Cyphercon 6 offered a lot of sessions, workshops, villages, and fun. Much more than I can write about here. The biggest takeaway from the event is that the security community really does care about keeping us all safe. No matter if that takes the form of students participating in a Capture the Flag event to learn about red teaming or if it takes the form of people presenting sessions on vulnerabilities in their field of expertise, this is a community of lifelong learners who are eager to share what they know. If you have never been to a 'hacker security conference' before, then I would strongly encourage it, and you won't have to wait until next Cyphercon. The organizers ended the event by announcing they will also be putting together Secretcon happening November 2-3, 2023, in Minneapolis.
RunicMajier@runicmajierSo a successful @CypherCon hope everyone got some nice swag and watched some awesome speakers! Thank you @Goetzman for being an awesome host as always, and the @tymkrs for awesome badges.00:53 AM - 01 Apr 2023
Top comments (0)