SecTor is Canada’s largest cybersecurity event. It has been running annually in Toronto since 2007. Guess which Hack The Box staff member lives in Toronto? Yep, your humble cybersecurity blogger, Kim Crawley. I would like to thank the SecTor team for the media pass they give me each year. This year and in future years, I’m proud to cover the event for Hack The Box’s blog.
Since I’ve been attending SecTor, it has always taken place at the Metro Toronto Convention Centre, which is footsteps away from the CN Tower. Well, with one exception. Last year the event was completely online due to the pandemic. We’re gradually transitioning out of pandemic restrictions, so this year’s event took place both offline and online. I missed going to events in person, so I made sure to attend physically this year. With my mask on, of course. The talks took place on November 3rd and November 4th.
I’m going to share with you a bunch of photos I took at the event, and some information about the talks I attended.
First of all, I was happy to see a Hack The Box fan, wearing a cap with our old logo. Thank you Letian for giving me permission to share this on our blog! We’ve got lots of great new merch at hackthebox.store if you want to look as cool as this guy.
Okay, onto the talks!
The first talk I attended was Best Practices: PAM Security & Data Privacy by Beyond Trust’s Chris Hills. PAM stands for Privileged Access Management.
A description of his talk:
“What is best practice? Best practices range from organization to organization as a result of each organization's risk appetite and risk tolerance. Learn about an effective approach to the most often asked questions surrounding access management strategy, maturity and priorities, and security risks. In this revealing presentation you’ll learn how to answer the question of what, how and why.”
Of course, we should all understand the Principle of Least Privilege. No user should have more privileges than are absolutely necessary in order to do their jobs. This minimizes the harm a cyber attacker can do if they take over account, or at least the harm they can do without privilege escalation. It also limits the ability to conduct internal cyber attacks, and prevents people from accidentally performing actions outside of their jobs as well. There are many access control methodologies to implement this, such as Mandatory Access Control and Role Based Access Control.
Managing privileged accounts can get more complicated with the cloud and the growth of remote workforces.
Hills discussed the mindset shift in organizations to deal with cyber threats such as data breaches in our new cloud based reality: “Now we move to a strategy of ‘we need to diversify amongst cloud providers.’ We have a backup on prem and our provider goes down. We’ve seen the breaches. It’s a reaction to what’s going to happen.”
Next, I attended Best Practices for Open-Source Management by Pete Chestna for Checkmarx.
A description of his talk:
“The vast majority of code in modern applications is made up of open-source components. This allows developers to focus on value-generating features and not on scaffolding and foundations. The challenge is that this scaffolding is not free like a lunch. It’s free like a puppy. That means that not only should you be careful in your selection, but that you must also be prepared to give it care and feeding. Learn how to create good habits around the usage of open-source software. This talk will provide actionable guidance for responsible use of open-source software.”
Some people argue that open source software is more secure because everyone can easily bug hunt the source code and develop security patches. Other people argue that open source software is less secure because cyber attackers can easily find vulnerabilities to exploit in the source code. The reality is the situation is complex with many factors. I and most of the talk attendees agreed with Chestna-- neither open source nor proprietary software is inherently more secure. Chestna emphasizes that free software is free like a free puppy, it comes with responsibilities.
“The thing about open source, which is different from your first party code, is that everyone knows about it. CVEs (known vulnerabilities in the Common Vulnerabilities and Exposures database) are public. If you are not careful, if you are leaking information, for instance you may be leaking that you’re using Apache Tomcat... Well, it’s a quick jaunt over to see which CVEs apply here.”
The last talk I attended on Wednesday was The Quantum Threat: Where Are We Today? By Michele Mosca for evolutionQ Inc.
A description of his talk:
“Quantum computers will break currently deployed public-key cryptography (RSA, ECC, Diffie-Hellman, etc.) which is one of the pillars of modern-day cybersecurity. Thus, we need to migrate our systems and practices to ones that cannot be broken by quantum computers before large-scale quantum computers are built. First, I will give an update on the ‘quantum threat-timeline.’ Impressive progress in developing the building blocks of a fault-tolerant scalable quantum computer indicates that the prospect of a large-scale quantum computer is a medium-term threat. In November 2019, I estimated a 1/5 chance of breaking RSA-2048 within a decade. In a 2020 Global Risk Institute survey of 44 global leaders in quantum computing, 11/44 felt breaking RSA-2048 within a decade was ‘about 50%’ or ‘>70%’ likely. Has anything of practical relevance happened in the past 12 months? Is the threat getting closer, or has progress stagnated? Second, I will overview the state of affairs on the threat mitigation and practical short-term steps that organizations can take now. This includes an overview of soon-to-be-released ‘quantum-safe best practices’ by the Quantum Working Group of the Canadian Forum for Digital Infrastructure Resilience, and other ongoing work worldwide that is facilitating the evolution to digital infrastructures designed to be safe against quantum-enabled attacks. This will include a discussion about the state of post-quantum cryptography as well as commercial grade quantum key agreement.”
Quantum computers are coming in the next handful of years! So organizations such as IBM and the NIST have been developing standards for “quantum safe” or “post quantum” cryptography for years. Because quantum computers will be able to very easily crack the binary cryptography technologies we use today. I mentioned this on our blog in July in “What the heck is quantum cryptography?”
Mosca said: “You need new public key crypto. If we can symmetric key crypto... the solution to protecting key attacks is to increase your key lengths. Easier said than done, ask anyone who’s done DES to AES migration. In the grand scheme of things, it’s a much easier problem.”
The first talk I attended on Thursday was Building Security Champions by my friend Tanya Janca, application security specialist with her own business, We Hack Purple.
A description of her talk:
“With security teams being vastly outnumbered, many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions: How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?”
Janca’s talk is all about encouraging one person in every tech team to champion security. To be the role model who encourages everyone else to develop software or manage IT in a way that improves cybersecurity. This is a concept that’s closely related to security culture.
She said: “You don’t have enough people to do all the jobs. It’s stressful. But you still gotta get the work done. Because there’s not enough people, we scale our team. I used to work for Microsoft, and they’re obsessed with the idea of scaling. They did make Azure, so that makes a lot of sense... The Security Champion is the person who’s super excited about security. It’s the person who emails you to ask questions, if that person hangs around... that person is interested.”
Yes, encouraging one person who’s interested in cybersecurity can be useful in improving security culture and practices in all organizations.
The next talk I attended was For The Greater Good: Challenging The Vulnerability Disclosure Status Quo by Olivier Bilodeau for GoSecure.
A description of his talk:
“Over the last five years, we have publicly disclosed the details about dozens of software vulnerabilities with varying degrees of severity and their effect on a wide range of vendors including Oracle, Pulse Secure, Microsoft, Antidote, and Akamai. We have acquired hard-earned experience on the difficulty faced dealing with clients and vendors, the risks and benefits of public disclosure, and many unanticipated corner cases of handling these new types of software weapons. This presentation will go over many cases of previously discovered and disclosed vulnerabilities and attempt to extract lessons to convince more organizations of the ethical obligation to do so, as well as solutions for managing responsible disclosure in the enterprise. Doing so will help Canada have a stronger IT security posture.”
Responsible vulnerability disclosure is important! Organizations need to know about security vulnerabilities in their software. But irresponsible disclosure could cause legal problems and also make adversaries aware of an organization’s vulnerabilities so they can be exploited.
Bilodeau said: “You need to disclose to the country of whatever bug you’ve found first. Then you disclose publicly if that’s your goal... In Quebec, the Passport app had vulnerabilities. They went straight to journalists and communicated very roughly. It created a public discussion that got everyone confused because people don’t understand it.”
The final talk I attended was Walking The Cybersecurity Data Tightrope by Travis Smith for Qualys.
“Data is the currency of the 21st century, and as true as this is for organizations, it also trickles down to the security team. There’s a delicate balance between collecting too much and not enough data. Too much data, and your SOC is sifting through endpoint, application and network logs for days on end. Not enough of the correct data makes it impossible to spot adversaries within your environment. And with more companies shifting to the cloud, this scenario only gets worse. Travis will cover strategies to walk this tightrope of data, striking just the right balance between too much and not enough data.”
Smith’s talk describes how defensive security has been forced to change recently.
He said: “What takes advantage of these attack vectors are the threats. Such as the actual malware which is running in memory, the usage of compromised credentials, and things like that. All three of these things come together for the attacker to progress along the attack chain until they ultimately achieve their actions and objectives.”
I had a lot of fun at SecTor! Afterwards, I headed back home, excited to share what I learned with our Hack The Box Community! It was an honor to enjoy the opportunity I received.
Thank you to the Lock Pick Village and The Binding Order for the lock picking kit. We must never overlook the importance of physical security!
Hack The Box is also going to BlackHat Europe 2021, November 10-11. Check out our press release here to see what we're up to!