Attending Security BSides Athens
28 Jul 2017Last month Memset sponsored the after party of the Security BSides event in Athens, which brings experts and researchers together in order to discuss the latest advances and threats in Internet Security. Three members of the Memset team attended the conference and on their return, we caught up with them.
Why attend Security BSides Athens?
Tom: As a sponsor of the after party, we received a handful of tickets and I thought that it would be rude not to attend, so I took advantage of the opportunity and invited some folks from our customer facing 1st Line Team and Internal Corporate Infrastructure team. Once the invites were accepted I booked our flights.
Glenn: I’ll admit I was a little sceptical about attending. Security seemed fairly abstract from the hands on work my team do with customers. I tend to find myself working to resolve problems with MySQL crashing or websites not running properly. Prior to attending, security seemed like a lofty goal to be aiming for as so few of my customers are focused on security, predominantly due to a lack of resource within their organisation.
Chris: I hadn’t attended a summit for a long time, so was looking forward to exchanging ideas with experts and broadening my network to develop my knowledge. A key part of my role is to ensure that all internal Memset systems are up to date, patched and protected from malicious attacks, so I was hoping to pick up useful tips and familiarise myself with new Information Security tools.
What was on offer at Security BSides Athens?
Tom: Alongside the Greek Salad and the excellent coffee, the organisers had developed an excellent presentation programme, which included speakers such as Dave Lewis (@Gattaca) who gave the talk “The unbearable lightness of failure”. It was a great keynote talk about the benefits of a failure-positive culture, which reminded me of something my first boss once told me “fail fast and fail often”.
Chris: I found Dave Lewis’s talk truly inspirational in terms of what a security professional should consider. It reminded me that security professionals are humans, we all have our ups and downs, but we should treat each one as an opportunity to learn and evolve.
Glenn: After attending my first talk it was like someone switched a light on, suddenly this abstract notion of the security world was laid out for me. Those best practices that seem ‘more like guidelines than rules’ were very apparently NOT about simply saying ‘we should try to do this’ but more ‘you need to do this, otherwise you will be compromised’.
Can you pick one standout moment from Security BSides Athens?
Tom: Ioannis’s presentation, “Lightbulb framework – shedding light on the dark side of WAFs and Filters”, was incredible. They’ve been working on a way to enumerate Web Application Firewall types and versions and even model the internal logic of the appliance using a combination of finite state automata, context-free grammars and other things that I can’t pretend to understand. Very basically, and apologies for any inaccuracies, point it at a black box that’s preventing application-level attacks and it will figure out what that black box is, model it’s state and devise attacks from first principles. It reminded me that any sufficiently advanced technology is indistinguishable from magic.
Glenn: The handling of zero day vulnerabilities was the biggest eye opener, by definition you cannot patch against these. It isn’t about specific actions but more ensuring you have done everything you can to prevent it from affecting you.
Chris: Yes; my greatest lesson was realising how vulnerable an organisation can be. As Glenn says even a fully patched system isn’t invulnerable, particularly if the user has not been trained in good security practise. A more comprehensive approach is required – constant training and strong monitoring is key to keeping everything safe.
Glen: The WannaCry attack was mentioned several times during the event having only happened a few weeks prior. I had formulated this as a concept of a near miss; it could have been far worse if not for a stroke of luck from a curious security researcher. But what was hammered home was that patching would have been impossible. The best analogy of the day was “you can't run a Windows update on a heart monitor that is attached to a patient”. You must ensure that you don’t only have one layer of defence, but multiple layers.
And what about Security BSides Athens after party?
Glenn: Prior to it, I had incorrectly assumed I would just be existing in the same room as some of the most influential members of the security world – why would they want to talk to me a lowly First Line Support Member. I was completely wrong, people were more than happy to talk to me about what I had heard in the presentations and how this would affect the tasks that I perform on a daily basis.
Have you implemented any changes upon your return to Memset?
Chris: I immediately began work on optimising the internal security of our infrastructure even further. I made sure that every member of the Memset team was aware of when updates and patching were required on personal terminals.
I have also been working on a number of new systems that I learnt about in order to improve the monitoring of internal systems even further.
Glenn: I brought back fresh ideas on how to implement Internet Security for all of my customers. For example, I work with customers to help them understand that running a server behind a firewall isn’t an added cost but in fact an absolute imperative in the first line of defence.
Detecting a compromise early is imperative. Host monitoring, like our managed OSSEC service, can detect signs of compromise or sideways movement throughout systems. Attackers will not stop at compromising a non-administrator account and will try to escalate privileges and move to other systems in the local network, so there are opportunities to catch them.
Tom: The chief benefit for attending, personally speaking, was to get out of my organisation’s security echo chamber. Even in the most effective security team there can be a tendency to focus on one’s own biases, and there’s very little more effective than talking to and learning from more experienced practitioners to stimulate a little lateral thought and new ideas. I’m coming back to the team full of approaches to problems that I previously thought increasingly intractable. That and I’m going to play more with regexes…
Glenn: Tom I’ve got a question for you, when is the next event?
If you would like to read Ioannis Stais’s presentation, Lightbulb framework – shedding light on the dark disk of WAFs and Filters, you can find it here.