Will they never learn?
Key Takeaways
Discusses cybersecurity breaches and hacking incidents, including a water treatment facility hack, and emphasizes the importance of learning from mistakes
Full Transcript
holy cow somebody is doing to us what we were training our soldiers to do eight years ago to other other nations and i mean the the point is they haven't learned the lessons yet have they no i mean you could literally shut down a military base like that so when i saw this [Music] so neil you you mentioned this treatment plot and plant in florida and um i've heard some rumors that it had like team viewer or something something happened can you talk a little bit about that so we have another real world example of something that happened really recently and you know what did they do wrong what's your advice what can we learn from this yeah absolutely so um the blah for the bottom line up front right is there was a um there's a water treatment facility plant in florida um and and don't let me forget dave but i have a cool awesome nsa story to tell about this one as well so so i need to make sure i tell this but there's a water treatment facility plant in um in florida that um the the plant operator was at work one day and looked over onto their computer that they had in the office and noticed the mouse moving erratically across the screen at first he didn't think anything of it because they have a procedure set up that the the manager um remotes into that box frequently to check on things in the plant and to use that box remotely um and so he didn't think anything of it because he thought it was the manager who was remote remoting into that box to control it well a little while later he noticed the mouse was still moving and this time it was actually changing some of the chemical control values um and the water treatment facility plants specifically i think was the the um i'd have to check and see which specific chemical it was increasing but it was changing it to something like 11 parts per million to like you know 11 000 parts per million and what that would have done effectively is over the course of the next 24 to 36 hours is it would have caused you know a level of poisoning um to the community that it supported um uh you know you know in that regard what ultimately ended up finding out was um it was a publicly facing team viewer you know you know computer where they had they had easily accessible passwords where they had gotten access to that computer via teamviewer um and they had just started you know hey what does this do you know sort of thing when they gained access to it now in this particular case it didn't end up being part of a nation-state attack but and this is this is a story that i like to tell and it was it was super surreal for me to read about this story because um during my last few years in the air force we were helping to build um the first cyber training unit in the air force um and there's a video on my um on my linkedin and i can get you the link for that that talks about the making of a cyber warrior um actually i think you've seen that video yeah um and and that's the training school that we were building um you know to to train the next next generation of offensive uh cyber warriors um when we were standing up at school we were heavily focused at the time and one of my specialties was doing um scada and industrial control system offensive hacking um but cool stories to tell about things like hacking surface-to-air missiles um i could tell lots of cool stories about that maybe for a different time um but one of the things that we had done was we had worked out a partnership with the local water treatment facility plant and the local power plant we told them that we were teaching cyber defense and um what we were really doing was we were going to those organizations to see how those organizations worked so that we could think about what a cyber war would look like if we were to target water treatment facility plants and power plants and things like that and so long story short um you know we go into this organization this water treatment facility plant and they explain how water treatment facility plants work and all the chemicals and the science and everything else that's involved in that um and then they take us into their office and it's you know it's not a glamorous office it's like literally a one room type of office scenario and sitting right there on the desk is a computer running windows xp um you know on on a on a very very like 15 inch crt style monitor you know that that they still had and um you know there was no password on it it it the desktop looked like you know if you go to your grandmother's house and you see like you know 9000 icons on their desktop you know sort of thing um and one of the big windows that they had up there was a window that said uh your antivirus was like a thousand days out of expiry you know from an antivirus definition perspective and so we asked them we were like so what do you use this computer for and they were like um well we we obviously use it to surf the internet through the day but also it controls all of the um all of the regulators for all the chemicals that you would put into the water treatment facility plant day in and day out we were like who has access to this they're like well everybody who's here has access to it if you're in this room you could literally sit down at this computer and you can control everything in the water treatment facility plan and they were using um um you know a team viewer type application at that um water treatment facility plant um you know for a lot of the same reasons and this was back in 2000 and 2011 2012 so so you know mere eight years ago that this was going on um and what the impact was i say all this to talk about the cyber war implications right this was a water treatment facility plant that serviced an air base of you know 50 to 100 000 you know service members that was a special operations base they were doing you know special operations work we obviously had cyber operations that we were doing at that base as well they were doing a ton of intelligence work and if you could imagine you know that changing the chemical makeup of the water poisoned an entire community you could legitimately shut down a military base by just simply hacking into a water treatment facility plant changing the water making everybody sick and then nobody shows up to work at the at the base the next day you could literally shut down a military base like that so when i saw this water treatment facility plant in florida that's instantly where my head went was holy cow somebody is doing to us what we were training our soldiers to do eight years ago to other other nations and i mean the the point is they haven't learned the lessons yet have they no i mean they still have team viewer or without like proper security so let me let me ask you this question neil i've asked you kind of the same thing before when companies implement security do they do it properly or is it like this just a joke it i mean it's it's that's such a hard question to answer it's a great question it's a hard question to answer i don't so so let's take the water treatment facility plant right users will always do what's least impactful for their day-to-day work you've seen this on the networking side i'm sure right when you always right um is security is no different path of least resistance path of least resistance i i can't get access to the network i'll just go onto the wi-fi or i'll go to a different network jack or whatever the case is right it's like security versus ease or um what's the right term is it um is it i will i will always do what's more comfortable yeah even if it affects my security even if it affects my security and and you we'll we'll never train that out of users right we'll never treat nature human nature human nature you know and here's what i would challenge anybody who watches this video really ask yourself are you the perfect example of security do you legitimately have a unique password for literally every single account that you log into right some of you may say yes some of you may say no right are you legitimately doing two-factor authentication literally everywhere that you you're supposed to right really evaluate yourself and be honest with yourself you'll probably find that you're not the model you know cyber security person that you think you are in your day-to-day life and it and it gets worse because if you've got a wife and kids and they're not technical you know and and and that's a very good example it's like what do you do you can't just like walk into your wife and be like enable multi-factor authentication because like that's how you get in the doghouse real quick exactly yeah i mean it's like so i mean just taking this a step further i mean if you as a technical person who understands some of the risk don't implement what you should how is it how do you communicate that to a business where it's full of people so neil you've got a lot of experience in businesses how do you get across this message to the ceo all the you know all the the guys in charge how do you get the message across to do what's not comfortable this is going to be this is probably going to be popular opinion you know for folks who watch this video but it's a pragmatic approach to cyber security and and i go back to like our sock analyst right who's trying to make a decision on the glass of which alert to look right put yourself in that technical role let's say you've got two vulnerabilities right two um cvss common vulnerability scoring system 10 vulnerabilities right you have two cvs 10 vulnerabilities that just released today right on one hand you've got it's it's a cvss 10 which means that it could be the potential to be really bad but there's no publicly available exploit code there's no signs of it being exploited in the wild right for all intents purposes it's more of a theory vulnerability than it is anything else and then you've got another vulnerability over here that is the exact same severity but there is publicly available exploit code on github it's in metasploit right you know it's being exploited in the wild by all the common exploit kits and the ransomware kits which one do you patch first and everybody's instantaneous response in this industry is well you patch both of them they're both cvss 10 and that's the problem that we have in security is that we don't take a pragmatic approach to security because you can't tell the it organization to patch both they don't have the bandwidth to patch both and you the first part of that is recognizing in your own being real with yourself when you think about your own life it's not real for you to walk into your living room and tell your wife that you know she must have 80 different passwords for her social media accounts right and multi-factor authentication that's the same thing that's not going to fly in a company or organization and so you have to be realistic in those conversations and you have to say okay um okay i really want you to patch both but if you have to if you if you can only patch one please patch this one today and let's put this one on a path to get patched can we do it in the next 30 days you become incredible negotiators in a cyber security organization because what you really want is you want them to patch this one today because you don't want to deal with this incident tomorrow you don't want to have this breach conversation you don't want to be up for the next 36 hours dealing with an incident right so you want this one to get patched today this one until there's a publicly available exploit code until it's being exploited in the wild yeah it's a cvss 10 but you could probably wait 30 days and so i think the key is is again training ourselves that there is risk acceptance and there is risk tolerance inside of an organization that is a skill that is not taught to cyber security professionals in any of the stuff that we teach in any certification program out there so i mean how do you learn that stuff um i i i laugh because i'm over here like yet no i don't think i got a book on that one um you'll have to you'll have to talk to your you'll have to talk to like people at ine or or you know some of the some of the guys you know to create some content around that you it's hard you know it is hard it is hard and and you you don't that's a that's a trial by fire i hate to say it like that but you know i i think i think if you were to talk to if you were poll most of your viewers right and the new folks versus the experienced folks you know i know that for me when i first got out of the air force in 2013 and went into my first company i was i want every vulnerability patched if it's a cvss 10 i want every cvss 10 patch and i'd spent 10 years in the air force right and i was like there is no way that i'm walking into a private company like i had spent you know we talked about stories from from my days in in in you know cyber cyber command you know syria india pakistan right saudi arabia kuwait like finding windows xp's in in those environments is second nature right you will find them every which way to sunday finding android you know cell phones that have some of the first versions of the android operating system to do cell phone hacking common common place in in a lot of those countries just because they can't they don't have the infrastructure to support they can't afford the license cost to stay up to date on windows 10 you know you know throughout um when i got out of the air force in 2013 i was like there's no way that a billion dollar company can't replace all their windows xp machines with with whatever the latest was right um and so uh um when i saw that i was like no no we can't have windows xp running the largest financial backbone in the united states of america that's just unacceptable um and so i think you always start with these eyes that say we're going to solve every security problem by getting rid of bad passwords and enforcing mfa and updating all of our software and you realize that that banks still use as400s that don't support anything larger than eight character passwords and they can't do they barely do uppercase they can't do special symbols right i was part of a you were i know this is teed up as one of your questions but i was part of an organization was a fortune 100 company they had a manufacturing line that literally does 10 billion dollars a day worth of of revenue for them on the manufacturing line the very first computer on that manufacturing line runs windows nt and if that computer goes down it is 10 billion dollars a day that's gone that's solely dependent on a windows nt computer and that's that's today that's not five years ago no that's today that's today and and so you have to realize that businesses accept risk there is financial acceptance to risk and i'll tell this last story but i see one ask a question the first company that i worked at when i got the air force was a financial company and they had just suffered one of the largest um credit card breaches you know today when i when i joined them um i was privy to a terrible conversation at some of the upper levels of management where they had actually contemplated that it was cheaper for them to pay the fines than it was to build a cyber security organization yeah i mean it's i think when you when you knew in life you want to do the best but the older you get the more jaded you get [Laughter] and you realize that it's um the world is it's it's not black and white always it's it's it's a lot of a lot of different shades of grey if you like it's it's a it's a lot of give and take um well but i i think i i think the only thing that i would say is like when you get older you get jaded but i think when you're younger if you look at like a like a speedometer right zero to a hundred right everybody wants to jump in the sports car and go to a hundred right and i think the longer you're in cyber and the longer you you're in this game i think you quickly realize that um even though the speedometer says it can go to a hundred you're lucky if you can get it over 30 or 40 miles an hour because organizations are so slow to adapt is that what you mean it is it is and and and organizations are and i don't mean to sound all doom and gloom right i've i've made a i've made a career as a reality it's reality it is it is and so what you know one of the things that i've had to adopt in my career right is i'm going to go into an organization and i'm going to build the best damn cyber security program that i can in an organization and i'm going to take it as far as that organization organically will allow it to go and there's a lot of organizations that are super receptive and they'll let you excuse me they'll let you move pretty fast to a point but then at the end of that point they start to get into that organizational mentality they start to move really slow they start to throw roadblocks in front of you and that's the natural progression of where you can take most cyber security organizations um and then i start to look for you know i i said okay this is what your risk tolerance is for cyber security and i start to look for other organizations where you know i can go make that impact because you know you could you can run really fast and you can hit a plateau just like when you're working out or anything else like that and then you can stay there for 20 years and you might have gone from super accelerated to gradual improvement over the next 20 years and that's most what most people's cyber security career in an organization looks like you
Original Description
Another day. Another hack. Will they ever learn?
Menu:
Another day, another hack: 0:00
Treatment plant BLUF: 0:29
Airforce hack: 2:47
Neal's water-treatment past example: 4:12
Cyberwar can shut down an entire military base: 5:50
Is security implemented properly? 6:53
Neal's challenge to you: 8:07
Dog house: 8:40
How to get the message across: 9:00
Trial by fire: 12:15
Real world - what!! 13:10
10 Billion Dollars uses Windows NT: 14:30
Cheaper to pay fines: 15:40
You want to go at 100 miles an hour: 16:13
Build the best cybersecurity organization you can: 17:00
Video mentioned: https://www.youtube.com/watch?v=hw35yXbSLMw
================
Connect with me:
================
Discord: http://discord.davidbombal.com
Twitter: https://www.twitter.com/davidbombal
Instagram: https://www.instagram.com/davidbombal
LinkedIn: https://www.linkedin.com/in/davidbombal
Facebook: https://www.facebook.com/davidbombal.co
TikTok: http://tiktok.com/@davidbombal
YouTube: https://www.youtube.com/davidbombal
================
Links:
================
eLearn Security: https://elearnsecurity.com
OSCP: https://www.offensive-security.com/courses-and-certifications/
INE: https://bit.ly/inetraining
SANS: https://www.sans.org/
Hack the box: https://www.hackthebox.eu/
Try Hack Me: https://tryhackme.com/
CTF Time: https://ctftime.org/ctf-wtf/
CEH: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
Cyber Blue: https://securityblue.team/
Cyber Defenders: https://cyberdefenders.org/
Did I miss something? Please comment.
================
Connect with Neal:
================
LinkedIn: https://www.linkedin.com/in/nealbridges/
Twitter: https://twitter.com/ITJunkie
Twitch: https://www.twitch.tv/cyber_insecurity
================
Support me:
================
DavidBombal.com: CCNA ($10): http://bit.ly/yt999ccna
Udemy CCNA Course: https://bit.ly/ccnafor10dollars
GNS3 CCNA Course: CCNA ($10): https://bit.ly/gns3ccna10
======================
Special Offers:
======================
Boson soft
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from David Bombal · David Bombal · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
RYU SDN Controller Part 4: Graphical User Interface (GUI): Practical GNS3 SDN and OpenFlow
David Bombal
HPE Network Protector SDN Application Part 1 - Introduction
David Bombal
HPE Network Protector SDN Application Part 2 : DNS Interception using OpenFlow
David Bombal
HPE Network Protector SDN Application Part 3 - Lab Setup using Physical Switches
David Bombal
HPE Network Protector SDN Application Part 4 - Demo of malicious websites blocked
David Bombal
HPE Network Protector SDN Application Part 5 - Demo OpenFlow table interception flows
David Bombal
HPE Network Protector SDN Application Part 6 - Demo of Physical Switch configuration
David Bombal
HPE Network Protector SDN Application Part 7 - Demo Service Insertion Tunnel / GRE Tunnel
David Bombal
HPE Network Protector SDN Application Part 8 - Demo SDN OpenFlow Reporting
David Bombal
HPE Network Protector SDN Application Part 9 - Demo switches interception of DNS traffic
David Bombal
GNS3 Talks: GNS3 version 1.5.X Appliance Tips
David Bombal
CCNA 200-125 Exam: AAA demo: TACACS+ with GNS3
David Bombal
GNS3 2.0.0 beta 2 install
David Bombal
CCNA #012: Learn SNMP with GNS3, Wireshark and Solarwinds NPM - CCNA 200-125 exam
David Bombal
CCNA #013: Spanning Tree CCNA Exam Questions: Know the answer? CCNA 200-125 exam
David Bombal
GNS3 2.0.0 beta : GNS3 VM integration with GNS3 GUI
David Bombal
CCNA #018: Routing exam questions: Who wins? OSPF, EIGRP or RIP? Sure? CCNA 200-125 exam
David Bombal
CCNA #019: Spanning Tree CCNA Exam Questions: Root Bridge, Root Port and more: CCNA 200-125 exam
David Bombal
GNS3 Download, installation and configuration - GNS3 1.5.3 and Windows 10
David Bombal
CCNA #023 EIGRP Neighbor Troubleshooting (DUAL Issues) for the CCNA 200-125 Exam
David Bombal
GNS3 2.0 Architecture and schema Part 1: What is the GNS3 Controller?
David Bombal
GNS3 2.0 Architecture and schema Part 2: Emulators and virtualization
David Bombal
CCNA #028 VTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
CCNA #029 VTP & DTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
CCNA #030 VTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
GNS3 : How to download Cisco IOS images and VIRL images. Which is the best? How do you get them?
David Bombal
GNS3 ASA setup: Import and configure Cisco ASAv with GNS3
David Bombal
GNS3 switching setup and options: Cisco and other switching options in GNS3
David Bombal
GNS3 switching setup and options Part 2: GNS3 unmanaged built-in switch
David Bombal
GNS3 switching setup and options Part 3: Router on a sick with GNS3 unmanaged built-in switch
David Bombal
GNS3 switching setup and options Part 4: Etherswitch Router for Cisco Dynamips Part 1
David Bombal
GNS3 switching setup and options Part 5: Etherswitch Router for Cisco Dynamips Part 2
David Bombal
GNS3 switching setup and options Part 6: Etherswitch, Wireshark, 802.1Q, InterVLAN routing
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 1: GNS3 Switching Part 7
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 2: GNS3 Switching Part 8
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 3: GNS3 Switching Part 9
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 4: GNS3 Switching Part 10
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 5: GNS3 Switching Part 11
David Bombal
GNS3 Nexus (NX-OSv) switch setup and configuration Part 1: GNS3 switching options Part 12
David Bombal
GNS3 Nexus (NX-OSv) switch setup and configuration Part 2: GNS3 switching options Part 13
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 6: GNS3 Switching Part 14
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 7: GNS3 Switching Part 15
David Bombal
GNS3 Cisco CSR 1000v setup and configuration Part 1: GNS3 NFV
David Bombal
GNS3 Cisco CSR 1000v setup and configuration Part 2: GNS3 NFV
David Bombal
GNS3 Talks: Use the NAT node to connect GNS3 to the Internet easily!
David Bombal
GNS3 Talks: GNS3 2.0 RC1 is now available
David Bombal
GNS3 Talks: GNS3 2.0 Portable Projects - easily export and import GNS3 projects
David Bombal
GNS3 Talks: Multiple clients sharing projects in real time, plus console session shadowing!
David Bombal
CCNA #035 NAT Troubleshooting Scenario 1 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
CCNA #036 NAT Troubleshooting Scenario 2 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
GNS3 Talks: ESXi, GNS3 VM and KVM support Part 1: leverage servers and the cloud
David Bombal
CCNA #037 OSPF Troubleshooting - can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
GNS3 Talks: ESXi, GNS3 VM and KVM support Part 2: leverage servers and the cloud
David Bombal
CCNA #038 NAT Troubleshooting Scenario 3 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
CCNA #039 - OSPF DR, BR and DROTHER Election - do you know the answers?
David Bombal
CCNA #040 NAT Troubleshooting Scenario 4 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
GNS3 Talks: Arista vEOS GNS3 import and configuration Part 1
David Bombal
CCNA #041 - OSPF DR, BR and DROTHER Election - do you know the answers?
David Bombal
GNS3 Talks: Arista vEOS GNS3 import and configuration Part 2
David Bombal
GNS3 Talks: ipterm: Linux, Docker, Python, SDN and more! Part 1
David Bombal
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
The Silent Killer in Your Node.js APIs: Mass Assignment & How to Catch It Before Production
Medium · AI
The Silent Killer in Your Node.js APIs: Mass Assignment & How to Catch It Before Production
Medium · Cybersecurity
Australian Cyber Security Centre Issues Alert on Mass Exploitation of CMS Vulnerabilities
Dev.to · NetSecOpsIO
Malicious 'jscrambler' NPM Package Versions Deploy Cross-Platform Infostealer in Sophisticated Supply Chain Attack
Dev.to · NetSecOpsIO
🎓
Tutor Explanation
DeepCamp AI