Jayson E. Street, Information Systems security expert and CIO at Stratagem 1 Solutions, describes his real-world intrusion engagements during his Defcon talk to show the flaws of the current security model within enterprises.Hi! This is my talk. I want you to understand I had to start with this slide (see image) because I’m gonna say things that might sound a little bad, mean, spiteful, hateful – you know, all those other adjectives. I’m adorable; I’m a wonderful fluffy person and stuff, who does not like doing bad things unless people pay me. I would never try to kill you unless you pay me to try it – I promise. So when I tell those really harmful terrible things I’m gonna be talking about, let’s just remember the kittens, okay? The title of my talk is “Steal Everything, Kill Everyone, Cause Total Financial Ruin!”, or how I walked in & misbehaved. Quite simply, it’s because of the security fails. It’s like I’m gonna explain to you that physical security and stuff, you know, is one of our biggest weaknesses, because people can understand 2-dimensional versus 3-dimensional when they are walking up to the front door.
Let’s start off with who I am. I’ve got a day job and a night job. My day job is I’m the AVP of Information Security at financial institution. My boss is going to love this on Monday. What I do is I work in a cubicle with a lot of cool action figures around it. I monitor Firewalls, I watch IDS systems, I build our infrastructure, I find more creative ways to secure it and to go after people who are coming after us. And I do all the day-to-day blue team stuff. My main job is blue team, the defense.
My night job is the CIO of Stratagem 1 Solutions where I do pen testing maybe like 3 times a year, and basically I do speaking engagements like this around the world. I’ve written a book “Dissecting the Hack: The F0rb1dd3n Network” and I also do some other writing. That’s what I do at night. So I respond to incidents during the day, I create incidents for other people at night – so, best of both worlds.I love these pictures because you see the first picture with the baseball cap – that was me standing outside for an hour in front of the industrial park building, secured facility, on a Sunday, with no traffic, and the security walked by twice and did not think to stop me and ask me “What the f… are you doing on the sidewalk just watching our building?” And he didn’t put it in his report either – so, bad on him. The second picture, you know, looking dapper in the glasses, is actually me going to apply for a job. Yes, I’m wearing a black hat colored shirt because I like to come with warning labels. I did not get the job – unfortunately I was way underqualified for that one. I did get their data, so win-win. These are my 2 favorite pictures of engagements I’ve been on. The one where I’m wearing the “I’m a liability” shirt, I think, is the best one because I stole a car in that shirt. I was at a hotel off the coast, and the valet gave me the car, and I had to explain to him: “I can’t get in this car right now”, and he’s like “Why?” I said: “Well, because I’m stealing it, it’s like they paid me to do an assessment, I’m a liability” It took him a while to figure that out, so I finally had to say: “You might wanna take this back, I think the owner is gonna want it.” The next one is my favorite, it’s one of the most secured facilities I’ve ever seen in my life, right across the street from Ground Zero, SWAT teams, you know, with cannon units, with their machine guns walking through the concourse, 8 security guards in the main elevator lobby, not including the business lobby. That’s me in the upper floors, wearing an actual valid badge and a shirt that says “Your Company’s computer guy”. I like that picture a lot. I’ll get more into that story in a little bit.
I deal with CISSP, I think the Code of Ethics says that I have to put a Sun Tzu quote in my talks, there it is:
We’re done with the intro, half way through, so far so good. We’re gonna talk about the one fact that we have to face when we’re dealing with this subject. We’re gonna talk about the 2 rules that I go by when I’m doing an engagement, and the 3 outcomes from those 2 rules. And hopefully I’ll get to conclusions and discussions.
“… deception. Hence …”(Sun Tzu)
Why this talk? I gave a talk last year about the beginning of social engineering. I was talking about things that you could do to try to get into the buildings. That was the part 1, and quite frankly, I got some feedback afterwards, like: “Man, Jayson, that’s some basic concept stuff, you know. It’s like you weren’t showing any kind of NLP or anything.” Because I can’t. I am not a professional social engineering expert. I don’t know about NLP, I don’t know the psychology, facial recognition, mind ninja techniques. I still get in. I have 100% success rate of getting into facilities when I’m doing a social engineering engagement. So it’s not that I’m that great, trust me – anybody will tell you that. It’s because our security is that weak. So this is an educational, and hopefully in a funny way, kind of talk just to give you an onset of where to go look for more stuff, and then hopefully have a good chuckle while you’re doing it. You are not going to learn anything new, but hopefully you’ll remember something that will make you go look at something else.