Zero Trust World - Day 1

3…2…1... We have lift-off! Zero Trust World 2023 has officially launched and is coming to you from the Omni Champions Gate Resort in Orlando, Florida. Seated in a dark ballroom with a blue ambient light cascading throughout the room like the aurora borealis, I took in the events of the morning with splendor. The National Ballroom is the main stage where the morning’s activities took place. I don’t want to just bring you the information, but I want you to feel like you are here sitting beside me at the round table. No stone was left unturned at the event. As I sat at my table before the speakers even began, I was mesmerized by the exuberance and excitement pulsating through the room. If I were to close my eyes and just absorb the auditory environment, I would have assumed that I was at a trendy nightclub with upbeat music pulsating through the air.

          The excitement did not end when the speaking started. Event emcee Adam Reed took the stage and grabbed the sizable crowd’s attention with witty jokes and also by announcing that there were attendees from quite literally around the world, including Australia, Austria, Hungary, and even St. Kitts and Nevis. Once he had us in his grasp he then pivoted to the importance of the Zero Trust World conference, as well as what we could expect from the event.  Why is this conference important? It is an educational tool for managed services and security providers (MSSP’s, such as us here at Appalachia Technologies) and small / medium businesses (SMBs) alike. To show the need for this education he pointed out some alarming statistics, such as that it takes an average of 191 days for an organization to even find that they have been breached. That is all time that the attackers have to abuse their victim’s data and networks until remediation efforts are made. Adam also pointed out that ransomware is the largest culprit in the world of threats at this point in time. In 2022 alone, there were $20 billion dollars of ransom payment demands made by attackers. He extrapolated this outward to 2031 where it is expected that the yearly amount of ransom demands would surpass $260 billion. As if eyes were not already opened… they were about to be blown wide open by our next speaker, Bob Arno.

          Who is Bob Arno? He is a professional criminologist and more notably, a professional pickpocketer. He started his presentation by walking through the crowd of unsuspecting individuals and introducing himself to individuals and shaking hands as he made his way to the stage. When he reached the stage he started rifling through his pockets and pulled out several watches, hotel room keys, and even a cell phone. He began asking if these items belonged to anybody in the room.  Shocked, many of the individuals he interacted with just a few minutes ago now found themselves walking to the stage to reclaim their pilfered belongings. The point that Mr. Arno was trying to make is that a threat can be anywhere and totally unseen. He asked the “victims” of the pickpocketing from a few minutes ago if they would be willing to stay on stage. He talked to each one individually and talked to them about their attire and how it could be inviting to pickpockets or other criminals. What these individuals did not realize is that he was victimizing them again! He took cell phones, keys, and even was able to undo a few individuals’ neckties and pull them off from behind without them ever noticing.  He was able to perform these tasks by using attention diversion while he was talking to the victim. He directed their attention somewhere else as he made the heist. Mr. Arno’s presentation included a lot of humor (and he was hilarious) and pickpocketing, but he bridged the gap to cybersecurity by explaining that his art is now going out of style. He explained that the best pickpocketers in Europe are now changing their tactics to credit card fraud and spear-phishing. Though, he insisted, that many of the same tactics are used, such as using a diversionary program on a computer to keep your attention off the malware that is being installed (sound like ransomware to anyone else?). The goal of his presentation seemed to be to open our eyes to the world around us to the threats that are in plain sight but are rarely seen. His presentation did just that.

The final speaker of the morning was Michael Meis, who is the Associate Chief Information Security Officer for The University of Kansas Health Systems. He spoke about the “Art of (Cyber) War”, which is a play on the title of Sun Tzu’s two thousand-plus-year-old guide to warfare, “The Art of War”. He honed in specifically on the chapters of the book that speak about “focusing on victory”, “knowing thyself”, and “knowing thy enemy”. He demonstrated that although the methods of warfare have changed throughout the centuries since the concept was realized, the strategies in which warfare is conducted have remained remarkably the same, as they follow the teachings of “The Art of War”. The best way we can protect ourselves is to not only know our enemies and what they do but also to know ourselves and our limitations. The more we can do to mitigate those mitigations the more secure our environments will be.

After a tremendously prepared lunch and time with the vendors in the vendor hall, I spent the afternoon touring through many hacking demonstrations. These occurred in a lab environment with dozens upon dozens of laptops set up with virtual machines, so the attendees could perform these hacks live, not just watch them happen on screen. Another hacking presentation showed what hackers can do immediately after gaining access to a target system. The hacking demonstrations were very relevant as they use tools that penetration testers and attackers use on a daily basis. One tool that I was introduced to was borderline terrifying and fascinating at the same time, and it is called a Rubber Ducky. A Rubber Ducky is a thumb drive that can have exploits programmed directly into it. Once that thumb drive is plugged into a device, even without any interaction with an input device, the thumb drive is programmed to execute the exploit and enter all of the commands within microseconds! I was given a Rubber Ducky and taught how to generate a script/exploit and then how to actually implement it. It really is as easy as just plugging it in. It does the rest. This demonstrates all the more the importance of zero trust. Zero trust technologies, such as ThreatLocker, would prevent any .exe that may be programmed in a Rubber Ducky from ever running, stopping the attack before it happens. Otherwise, using this attack vector, all the attacker needs is access to a USB port for mere seconds.

Day one has flown by and I can’t believe it is already done. It truly has been all I hoped it would be and more.  I was entertained, I learned, and I grew. I can’t help but realize the importance of events such as this. I networked with engineers and MSP owners from across the globe, sharing experiences and ideas. It reminds me of the sense of community that exists in the world of cybersecurity.  We are one team with one mission, and we are willing to share our expertise if it is for the betterment of the world. Zero Trust World provides us with a means of doing that. I’ll be back tomorrow with a recap of day two! Until then…

Stay safe (and secure) out there!

Curtis McPherson is a Lead SOC Analyst who also spends time performing penetration testing and ethical hacking, making him a true purple team member. Curtis graduated cum laude from Penn State University with a bachelor’s degree in Security and Risk Analysis, concentrating on cybersecurity and digital forensics. In his time at Penn State, he participated in the Technology Club, which conducted open-sourced intelligence (OSINT) investigations into missing person cases, using social media and the internet to find clues to their disappearance. Curtis is married with two cats and a bouncy bearded collie named Laddie. In his spare time, Curtis is an avid fiction writer, Civil War historian, and a tried and true lover of all things related to airplanes and aviation.