we see things like um adversary in the middle attacks for instance where a user will be um redirected to a malicious website and be asked to put in their credentials to log in and they they're brought to a web page that looks like yeah a regular login page for say their bank or something like that but it's not and the the URL might have like one uh character that's slightly different it might be a 1 instead of an L or something like that and they don't notice it right and so they they put in their credentials they hit click and that's it I mean that then the threat actors got the keys. Some of the stuff you shared now I didn't know and I'm sure a lot of people didn't know it seems like crazy that a pre-shared key can save me from quantum computers that doesn't seem to make sense but you know that's just like me saying random things so just before we continue with the interview I've got to say that this video is sponsored by Cisco but they're not forcing me to say certain things this is a video about making the world a more secure place because it's cyber security month we're not going to concentrate on Cisco product we I just want to get experts sharing with us how we can do things better and make our companies more secure and make our selves more secure so back to the interview. Everyone it's David Bombal back with two very special guests Kendall, Kirsty welcome! Thanks David! Thank you to be here! Great to have you here now Kendall let's start with you I was looking at your LinkedIn profile some interesting organizations you've worked for right? Yeah um I actually started out in the uh US Intelligence Community uh before making my way to private sector so um I worked for the NSA and CIA uh for a period of time mostly doing counterterrorism actually at that time so my transition into cyber is sort of a probably a bit of a unique story. And you currently work for Talos right I do yeah Cisco Talos yep. What do you do at Cisco Talos? Yeah so I'm a senior intelligence analyst and strategic lead um I am on their strategic analysis team so the work that we do really focuses on looking at the threat landscape at a 30,000 foot view so identifying new trends and patterns trying to figure out what threat actors are doing the same or differently and then really trying to like level up um a lot of the great work that my colleagues do um to make it understandable for general audiences and executives and try to pull out those trends that can really help customers. But I love this I mean you've worked for CIA NSA but you've also worked for Visa right? yeah yeah just for a short time um but that was kind of my pivot from the classified world into private sector the easiest way was kind of to take my um intelligence analysis and strategic thinking skills and sort of parlay that into the Cyber realm so it's still tracking bad guys and identifying threats and all that stuff and a lot of the work that I enjoy now is we do produce so much in the Intel Community we would call it Actionable Intelligence yeah but here it's it's finding things that you know really make a difference we can make new protections for Cisco products we um can report on threats that are emerging and those things really help people people in in real life so it's it's very rewarding. I love that we and you've been at at
Talos about it's like seven years almost. Yep yep that's right. yeah I love that because I was going to say it just feels like the sky is falling sometimes with all the threats out there. It does it does and I you know there's just so many parallels to the the counterterrorism world that I used to work in and that's certainly one of them um the sky always falling the bad guys are always reinventing and it's sort of a constant game of cat and mouse. I want to ask you some questions about you know top threats thinks companies are doing wrong how we can protect ourselves but before we get there. Kirs you've also got an interesting story you were a math teacher at one point or math teacher for my American friends yeah I was and that was incredibly fun 11 to 18 year old kids love learning math and then after that I left and I went to the pay government of the NCSC National Cyber Security Center which is a part of GCHQ for those listeners who may not be so familiar with it and they're the National Technical Authority for the UK. So GCHQ just
for people are not aware is similar to the NSA is that correct? That's right yeah Government Communications Headquarters . But you also did math there right? yeah that's right yeah so this is what I guess I'm showing it right now it's more like me. I love it you I mean one of the at the moment you work for Splunk. That's right yeah so I'm a field CTO the EMEA region at Splunk probably here I have a British accent and I'm based in Switzerland in Geneva to speak a bit of French as well my job is to go around and talk to our customers about their big strategic security problems. I love that I mean I um saw an interview where you were talking about when you were working for the UK government you were talking about you were like looking at AI and Quantum Computing and IoT and like that is now reality you were looking into the future but now it's big today sorry go on. That's right yes my job was to horizon scan and find things that would affect the security of the UK in 5 to 10 years time so what was great about that job is I was doing it well because that stuff is happening today so the things we see in AI the developments in IoT security making sure that we can't form large PNETs and basic things like admin admin don't exist anymore that regulation is now in place in the UK so it's quite cool actually and I'm sure we'll talk about can't stop. So I'm gonna to ask you some questions now we I just for the audience I put some tweets
out and some messages out uh on social media asking for your questions and I've got some of them here but some of them are my questions hopefully these are questions that you've got that you want answered I I get asked this kind of stuff all the time so for either of you uh Kendall, Kir just answer who you know either both of you or whoever feels that you want to take the question one of the top questions is I I think it's really important like what are the top cyber threats like top three or whatever your favorite number is top cyber threats that we need to be aware of you know in 2024 going into 2025? Yeah I can I can start with that one the first one is ransomware ransomware you know everybody's heard about ransomware but it just continues to be a top threat quarter over quarter year over-ear that is impacting um our customers and I think what this really shows is that um it's it continues to work it's effective cyber criminals continue to see ransomware as an effective way to um steal or coers victims to to pay them money um there's been some changes in that space we've seen an influx of less skilled actors coming onto the scene with some of the leaked ransomware code um and builders hitting the internet uh which I can talk about but ransomware looms large still and I think the other bucket of threats that we're looking at and that have been increasing are Identity-Based Attacks so these are anything that um any way that an actor can steal your identity co-opt your valid account etc to do malicious things and this can take um so many different forms they can steal credentials from say um a previous data leak they can buy stolen credentials on the dark web from initial access Brokers that's a big Market password spraying attacks Brute Force attacks any way that they can get access to your legitimate account is what this refers to and it's it's so effective David because you know once they have access to um a legitimate account it's so much easier for them to hide yeah um their activity right because Network Defenders seemingly aren't looking at that account and the activity coming from that account um with any suspicion um and then of course once they're in the network they can do any range of things um like create new accounts um escalate privileges so they can um get access to more sensitive information they can conduct Network reconnaissance they can carry out internal uh social engineering attacks like business email compromise I mean it's really just a proliferation of threats from that point forward so I'd say pretty consistently this year uh we've seen ransomware and then identity based attacks and I think you know we'll likely see those continue into 2025 as well. I saw in the Talos report I think was is it 60% or something is identity theft or is it like a really large number. Yeah I think uh that might speak to initial access when we've been able to determine initial access in incident response engagements something like 60 or 66% is valid accounts so it it it is those actors going in and compromising legitimate users accounts um so you know we've got the data right there to kind of show um that that's kind of at the root of a lot of compromises today. So you you mentioned uh BEC or BEC I don't know how
you pronounce it Business Email Compromise can you talk about what that is because it seems to when I interviewed other people at tell us it seems to be something that's ongoing. Yeah we've seen we saw a rise in that last quarter um it's it's not a new threat it's a type of phishing um where an actor will pose as um a legitimate person and try to trick the user um into sending them money or transferring funds in some sort of way so there's a financial component there but it's heavily um reliant on social engineering and sort of tricking the user and so when a user gets access to a valid account and steals an identity and they want to carry out a BEC attack it's much more believable right because it's being sent from um an actual like Corporate email account or from someone you think you know um asking you um you know to move money around or to do any sort of nefarious activity. What about Vishing or like you know where they rather than phishing like the cell phones cuz I'm assuming that's a big thing as well. Yeah we've seen Vishing so Vishing for those uh who aren't familiar that is phishing but over the phone pretty much so your threat actor is uh making a call to it's usually somebody in HR and pretending to be someone they're not and they trick that person into divulging um usually like user credentials or something like that that they can then use to access the network and we've actually seen Vishing quite frequently in MFA uh bypass attacks that'll be when an actor um will you know call um an IT help person and pretend to be um some sort of legitimate actor or perhaps even the user themselves get that it person to uh share the MFA log in credentials and then the actor can then authenticate and then they can add additional devices and and sort of kick off off their operations from there so that's that's also a very real thing uh threat that we're seeing in terms of identity um as it relates to the MFA side of the house. The one that comes to mind is like the Las Vegas casino attacks which I think was
last year sometime? Yes, yes I remember um seeing that in the news and um you know that goes to show how such a simple attack can affect you know um a company or or an organization that you think would probably be immune from that type of low sophistication attack so that's a great example. So I mean I've got to ask this Rachel Tobac who I highly respect um did these uh demonstrations with CNN where she was able to use a phone just to like take over a reporter's account or the one I really like is where she used AI to fake voice and she phoned I think it was the secretary or personal assistant of someone um at 60 minutes and was able to get the passport details of that person just by mimicking the voice so that seems to be a big problem Kirsty with your you know background in maths and you know AI stuff that you've be looking at I mean this is a major nightmare? Yeah it's interesting how really there's two ends of the spectrum here we're still seeing people get hammered by the most basic attacks you know not having their basic cyber hygiene the other end of the spectrum some threat actors are turning to AI because their stakes are so high and MFA bypass is quite a sophisticated thing at this point they're really having to dig in and find these different CTPs to be able to access things I think phishing is quite sophisticated and I would just caution organizations to make sure that they are fixing the problems they have so it's quite nice to say we're defending AI attacks and those exist but they're not the most common attacks and so you really need to make sure that your your cyber security hygiene is good enough that people are actually needing to turn to AI to attack you in a way it's kind a good position to be in it's obviously more ideal it's just a whole new threat landscape now that people have to work with. I saw Splunk have this document and I'll link all of these below and I'm glad you mentioned that because they in this document about like AI it's you know reality versus you know the anxiety people have and like you just hit there like I mentioned there's people are worried about AI because you see like Tom Cruz being mimicked online and stuff but it sounds like that isn't as common place right? I mean I would still say people are worried about AI phishing like phishing generated by AI but in truth how do you how do you defend against phishing at the moment you should educate your users you should stop the mail ever getting to them you should minimize the risks if they do click the link you should create a reporting culture so that they're rewarded for saying yeah I made a mistake and now we're exposed right that applies whether the phish came from a personal an AI so there's always something about going back to basics and of making sure your defenses are robust at every level and it will help you against AI for sure but also against this huge swing of attacks that we still see today. So I mean let's let's talk about mistakes companies are making so is not not looking after to the basics right so do you have like top three mistakes or something along those lines things that companies are doing wrong and then you know what things can they do better so either of you you know what mistakes you seen companies making out there and like what are the top three things that they can perhaps do better? I would say like straight off the back ransomware is still a problem still do backups check your backups exercise regularly put them somewhere not on the place we'll get ransomware word right like just straight up just do that that's my number one. Yeah and I I think you know absolutely that's you know you know you think about going back to security fundamentals right and the the first thing that comes to mind is Multi-factor Authentication MFA like we we see so many cases of companies and organizations that could have prevented an attack if they had MFA deployed and some some organizations will roll out um MFA partially but it needs to be throughout your organization on every endpoint on every system especially those Network facing devices is huge and and secondly um and this might sound obvious again but patching patching patching patching we see you know so many compromises it's still happening where actors are exploiting known vulnerabilities um we know that there's challenges to patching for organizations you know um especially on those Network facing devices perhaps they don't fall within the normal patch Management schedule or patching might cause downtime but as much as organizations can you know you've got to have a a good patch management strategy in place and that'll stop like a lot of the the the attacks off the bat. I totally agree and it goes to that point that yeah it's great to say we need to defend against AI and zero days but actually vulnerabilities that are years of are still being used against organizations so patching absolutely an MFA I couldn't agree more I think we would have be having a very difficult conversation today every organization needs MFA throughout the organization. To Kirsty point too about um user education I think that is
so huge especially as we look at the data around identity based attacks and how that's increasing you know there's there's Security Solutions are great um but you know to a large degree so much of this really depends on the user um knowing how to spot something that looks suspicious knowing what the current um you know trends are out there in terms of uh TTPs Tactics Techniques and Procedures or TTPs um and that'll really help the you know an average user um be that first line of defense against a lot of those social engineering attacks that that were happening. And actually to spin on that when you have users that are willing and excited to do security encourage them right so if you spot something that is malicious towards that user you reported a phish great you were the first person to do that we give you a gift card right how many more reports would you get if that was the culture in your organization. Yeah it's interesting in this Splunk report again human beings are the common denominator right? Yeah I mean well we said social engineering it preys on fear, it preys on urgency these are human emotions and psychologically when you you make a mistake at work in any profession who sits there and says yes that was me I I'm the add in the room it's much more common to try and hunker down to try to cover your mistake and we say yes you should recort if you click a link but actually people are embarrassed they're ashamed they don't think they're going to be rewarded they think they're going to be punished they may even think they'll be fired so how can you encourage users to report a phish all the time and consistently and quickly because that will actually reduce your risk the quicker you know about a problem the better you can um advance your defenses respond to that incident and you can contain any damage that's been done so we need to think about human slide bit in defense as well. I definitely agree being able to self-report um is is key but there's so many social engineering attacks where users don't even know that they've been compromised we see things like um adversary in the- Middle attacks for instance where a user will be um redirected to a malicious website and be asked to put in their credentials to log in and they they they're brought to a web page that looks like a regular login page for say their bank or something like that but it's not and the the URL might have like one uh character that's slightly different it might be a 1 instead of an L or something like that and they don't notice it right and so they they put in their credentials they hit click and that's it I mean the then the threat actors got the keys and so um it's one thing to self-report I think is another thing to just be aware of like at a very high level at least what threat actors are doing um to just just be a little bit more judicious I think in kind of your day-to-day activities. Yeah so my next question was going to be okay how do we solve it right you can't blame the users like you've just said uh is it MFA what what what are the solutions what do companies need to do? I think the discussion here is you know just underscores it's it's both right um there's we have so much data from our incident response engagements to back up the the the problem that is lack of MFA misconfigured MFA um valid accounts and identity based attacks as the um initial access vectors and those are all um you know a lot of that patching um can be on like the technical and sort of security side of the house um but but there's also of course this um user education component that is essential to spotting at least some of those social engineering attacks so I do think it's it's um a mix of both. If I was going to look at really the big picture I might think in the ecosystem how we fix it right as big cyber security Community could we demand better things of our UIs so that when I access something in a browser it will tell me oh this is a new site you know this isn't a site you've visited before something like that right there have to be um Advanced systemic places where this is easier for users as well so there's really a lot of places it could change everything Kendall said of stuff we can do today and we should be doing today. Yeah I
think I mean push back from the audience right um because I'm going to play devil's advocate here talking about backups is terribly boring and it's the stuff you've been saying in the cyber security Community for the last 20 years so is it just the same old boring stuff we have to get the basics right? I'm bored of saying it if it helps if you're bored of hearing it bored of saying it. We wrote a while ago um a blog or something and and part of the title was like what's what's old is new yeah right like the the same things that work for threat actors they're gonna keep doing those um those same techniques and so um you know we're often looking for like new trends to report out and um sort of interesting findings to flag but you know the truth is a lot of it is you know things stay the same because as long as this is you know continues to be effective for the threat actor there's really no reason for them to change it up. So we need to get better at storytelling I think as a community like you say Kender about taking something what's the impact of that thing happening let's put meat on the bones make it much less dry much more interesting for people. I find
it like on YouTube just as an analogy get a lot of push back when I show like hacks but it's like if you can show people what's possible and how easy it is to do these hacks it really hammers at home I think sometimes the community that shows these kinds of stuff ethically and teaching educating people through like a cool demo hopefully drives at home right? Yeah absolutely. Kendall you mentioned MFA a few times but MFA fatigue is a big problem I did a video recently where I was talking about this UK teenager he was in a hotel just up the road from where I am and he hacked Rockstar Games um bunch of companies just through MFA fatigue so that is a problem. Yeah absolutely we're seeing that in our data as well um in incident response engagements that's definitely one of the ways that actors are you know circumventing MFA um so for folks that aren't familiar that you know when you you have your mobile device you go to log to um your secure network or your your work um email or what what have you and you get a push notification to your device so MFA fatigue is when a threat actor will flood your device with MFA requests in hopes that eventually you'll be like oh well that that must be a real one let me just accept it right so you're fatigued by the number of requests so that's a tough one that's a tough one to um defend against I think again the Kirsty's point that might be a self-reporting uh situation you know having that awareness to say this is weird I'm you know I got all these requests I wasn't even trying to log in you know let me let me level that up to somebody um but you're absolutely right David that's that's something we're definitely seeing um in the data. It's already raising the bar though for an attacker you know instead of just having nothing there because there's no MFA now they have to do another state another stage in the attack right add something else they have to fatigue somebody into accepting the MFA request so that's already raising the bar and that's the thing none of these solutions of silver bullets it's not going to fix every attack ever it's just going to make things harder and why not make things harder why not make you less of a valuable target it's I have MFA and Kendall doesn't who are you going to attack right it's it's just about raising the bar so that it's harder for everyone to to get attacked in. Yeah I love that analogy I mean it's um it's like physical home security it's horrible to say this but I mean I think just generally you want to make sure your security is better than your neighbors right? I I think the same you know line of thinking goes with patching it's it's not exciting to talk about it's kind of boring but you know in if you if you take Kirsty's example you know a thread actor that sees unknown vulnerability as patched they're probably going to pivot to a different organization that doesn't have that patch because it's easier right so it's just that sort of first line of defense um sort of deter them when you can. I'm going to have to push you on this because I know we're talking about the basics but I think based on the questions I received from the audience the number one question was about AI so I got to address this AI for hacking, AI for defenders, in the report from Splunk I saw that you know AI in the past the attackers had the advantage of AI like writing emails, perhaps umm the Voice cloning all that kind of stuff but it seems to people are feeling that you know AI AI is more balanced now so it's not just the attackers that are winning but it still feels that way so you know what's your take on AI for attackers versus Defenders how's it going to change things so I'm just going to open it up like AI changing the landscape, also AI for jobs you know is it going to take jobs away that kind of thing because you you've had a lot of you know background in AI perhaps you can you know take you take this and you know it's what is what is like hype versus reality? Yeah there's so so much to answer here so as you said AI for Defenders AI for hacking, there's a third stream people forget about which is securing AI itself so if you are using it don't forget that's another supply software supply chain issue that's another vendor you have to manage potentially it's another attack surface so don't forget about protecting your models itself right and to do that a lot of it is good software development practice just do a lot of that stuff and you'll be pretty covered as Splunk surge released some um research on applying OS top 10 to machine learning and AI workload so making sure you can still protect that stuff itself um on attackers versus Defenders who's winning doesn't it feel like the attackers always winning because they just have to be successful one time just one time um so I see why people feel that way I think in truth the winner will be whoever uses it right so initially a lot of Defenders were very hesitant to use it they didn't want to have this kind of data exposure risk there was all this kind of rumors about not being GDPR complied for certain providers and um people didn't want to expose their data think it's very reasonable but attackers have no such ethics or concerns they can use the tools as they like and so they did so as we started um accepting more and more AI into our workflows into our streams and with our analysts we're seeing balance tool. You know we see this in the threat landscape any new technology that
comes out it's a race between threat actors and Defenders um as to who's going to harness it sort of first and best and we're seeing this with AI um and and yeah it is a lot of the time this Doom and Gloom reporting right about threat actors use AI to do this or that and the the stories that aren't reported out are what sort of how Defenders are leveraging AI um you know and and there's a whole range of ways that that we can and are doing that um we can use AI to help with threat um intelligence when you talk about you know um extracting uh lists of IOC's from a report or miter uh techniques from a report that can you can then use to prioritize uh certain defenses in your organization you know you can use AI to help understand if a certain vulnerability has been exploited, if so how frequently? if so in what industries right and that can sort of help your security organization prioritize where to put their security resources I challenge folks to kind think about how we can harness AI in the security world and I think there's probably jobs in that field that we don't even know about yet right because we're still figuring out figuring it out as we go um but I think you know that that's certainly a trend we see um in this space I mean you look at one of the things that came to mind was QR codes yeah you know there's been this rise in actors using um phishing campaigns with QR codes that require users to like scan the QR code and then it redirects them to a malicious page that was a new technology right yeah well now we have um uh email detections that can catch QR code phishing emails right and using um the same technology to kind of bolster our defenses so when any sort of new technology comes on to the market um it's going to be this case of you know good guys and bad guys trying to leverage it um but I think there's definitely opportunities as as Kirsty laid out for Defenders to take advantage of it as well. Because I mean this this was a thread in the questions um and I'll just like kind of summarize know where where do you see network security shifting in the next 5 to 10 years with regards to AI capabilities and machine learning but also like the big one is am I going to be obsolete right so is it worth a question I often get on YouTube is is it worth getting into cyber security if I you know if I'm younger or just want to get into this industry because in 5 to 10 years I won't have a job? oh you'll have a job you'll always in my view it's it's one of those things you'll always have something to do what you do will change I think you know maybe today maybe we'll look back in 10 years time and go how funny people were still being ransomwared we thank goodness we've got past that now you know may maybe the job will change but I would say what that means is instead of learning a particular coding language or a particular set of um techniques or something the best thing you can do is prioritize adaptability because the job today is not the same job it was 10 years ago and it will not be the same job in 10 year of time so yes you could learn prompt engineering but people who are working in the stock today and and joined 10 years ago they didn't know prompt engineering they've had to learn it and they can because they're adaptable they're curious they're open and they're humble so those are the things you should be prioritizing in terms of soft skills and that will make you successful in cyber security. Yeah I I agree and I you know I this might sound sort of you know um idealistic or or you know uh fantastical or whatever but I just feel like the the job that you know uh if somebody listening who's a teenager or in their um you know about to start college or something like that I just feel like the job that you are going to have in 10 years is a job you don't even know exists right now or that you're not even tracking it's not even on your radar somebody said hey what do you want to be when you grow up like that probably isn't even entering your consciousness because you don't know that it's even a possibility and so you know I think that plays to Kirsty's point around being adaptable and I think too if you can lean into the things that you're good at like yes um infosec uh fundamentals are important you know coding programming that'll definitely give you a leg up but think about you know what you're passionate about and what your skills are maybe that's communication maybe that's strategic thinking maybe that's I don't know like taking things apart and putting them back together whatever that is that can probably be translated into the security world and that's certainly what I did I didn't have a technical background um but I found this thing that I was good at which was you know um sort of looking at seemingly desperate pieces of information and trying to make um you know more strategic meaning out of it and and thinking in an analytical way and um now I'm I'm a bit of a unicorn um honestly on my team everybody's highly Technical and and and I'm kind of um looking at things through a different lens and so that's not something that I you know anticipated doing uh when I was younger right but yeah um you know through sort of finding my passion I was able to sort of relate that to the field and so I think as we as we look at what what's happening in the field year-over-year you know get get get those um infosec fundamentals down sure you know do your trainings but you know if if there's other soft skills that you're good at or that that you like you know there's probably a way to leverage those as well in the field. I love this I mean we've already got into this conversation but I I'll I'll ask the question anyway if you spoke to your younger self what would you advise? I guess for me I like I I would probably say Kendall take some programming and coding classes because I entered the you know cyber security world I guess proba I mean there are a lot of former Intel folks I work with but a lot of them did do technical work um in their previous careers I did not um and so you know I but but I like threat hunting I like hunting the bad guys I like um looking at trends I like um you know leveling up um things that are important for executives and and companies and just really taking that high level strategic vantage point so I've had to kind of like hone my technical skills um you know on the run as I've been here over the last seven years and I've done that so I I mean for me if I had known I was going into cyber 100% like beefed up my my technical skills a bit more um but that's probably opposite than a lot of folks that may be watching. I mean I think it's a good point but I probably would say you're technical enough like to everyone right like I think if I could tell my younger self I'd be like you know you're technical enough like yes you don't know every programming language in the world no one does right yes you can code someone else doesn't mean anything actually like you're technical enough to do the job right and and I think anything you don't know you can learn it's really not about knowledge it's much more about skills so I think probably that would be the message I would take that you only have to really study something it could be an attack it could be a TTP it could be one actor if you really went for it and you did nothing but that for a month you would probably be one of the global experts at it right because there's so much there just so much that it's very rare for somebody to have the time to specialize in that thing so really it doesn't take long for you to become a true expert in something if you're dedicated and if you're looking at it so pick what that thing is what you would like like to do and hone in on that but really it's about skills not knowledge because knowledge ages off and skills are ever green so try to prioritize the kind of things you want to do rather than the things you want to know.
Yeah and I would say I would say two other things that aren't specific to any particular fields that come to mind first one is internships I think internships can really set somebody apart in the interview process not only does it give you a chance to sort of test the waters and see what you like you know it's it's one thing to have a list of skills on your resume on paper but to actually have an experience where you put those skills into practice and then you can talk about that in an interview I think um is just like incredibly valuable and the second thing and I learned this a little bit later in my career but the value of networking yeah and I think I think that that's something that a lot of folks in this field shy away from because a lot of us are introverts myself included and it wasn't until like later in my career that I really understood the value of you know um how relationships can help you in your career um and so I would encourage folks to as much as you can you know push yourself outside your social comfort zone to make those connections um you know in college professionally with your colleagues because you never know down the road where you might want to call on them to you know refer you to a job or um they might have you in mind when something comes up um you just never know know so I think I think that that's definitely something I'd pass along too. I totally agree on both those I think as well sometimes I've heard people say I can't get an internship so I'm stuck you know I'm stuck I applied for things I can't get there so don't let that hold you back you know the question I always used to ask in interviews this what's the most complex technical project you've ever done and it doesn't matter if that's in an internship in your University degree just at home right if you get a raspberry pie and you decide you're going to ping some API and you're going to line up an LED screen in a certain way depending on the temperature that day cool right tell me how you did that what you really if you're enthusiastic you can do quite a lot as a hobbyist you don't need to wait for a job to do that we have a lot of resources that are openly available and of course it takes time you know but if you've got time and really are passionate about getting in the field make your rail projects do something you want to do what what is annoying you I had a friend who um every day used to leave the house and he would be checking on his phone when the train was if it was delayed and he check the weather so he knew if he had to take an umbrella or if he if he was overdrafted and going to be really sweating on the train whatever it was and he was like you know what this is insane I'm going to start projecting that on a screen so not only can I see it my partner can see it and halfway through the day it flips so that they knew when he was going to be coming home if the train was going to be delayed etc etc what a cool project and no one told him to do it he just thought you know what I could do this I'll just poke around I'll learn some stuff the way fantastic what a great project done. I'm not sure if it's possible to answer this but I'm assuming both of you have have have hired people or interviewed people so I'd like to get your like input you know from the other side what do you what what makes a candidate stand out like um cause you mentioned like the Raspberry Pi example I mean stuff like that I you know make someone look different to say all the other candidates but there any sort of tips and tricks you can give to someone to you know get ahead? So what I'm actually really looking for is curiosity and passion and those are the two things so if you have 10 coding languages or you have zero I don't really mind I'm looking for this kind of aptitude this curiosity to learn more and a passion for doing so so there's obviously a natural bit of aptitude how coding works logical flows things like that but I don't really usually care if you've got this language or that language so I would say try to think more about why you're interested in the subject you know a great question led to ask on interviews is how does internet work everyone has some understanding of how the internet works right even even someone incredibly in technical go I connect to the Wi-Fi and then I to a browser and the internet is there and and you can just Pro like how much further can you go what what happens when you connect to the Wi-Fi where does that go and sometimes people say it's just the internet's just in the Wi-Fi box you're like but where does it go and they're like no just back to your phone yeah so they really think the entire internet is on the Wi-Fi router and that tolds me a lot right they don't have this kind of attitude they've never been curious about learning more it's questions like that that are very open-ended I think make the best interview questions because I'm not looking for a laundry list have you done this yes no it that's kind of boring to me what I want to know is are you interested are you passionate are you curious do you have an attitude even if you don't know exactly how the internet's working can you figure it out it's the worldwide where there's a clue you know so that that's the kind of thing I would always ask in an interview. yeah I I love that I I certainly ask like a lot of um sort of problem solving type questions right like but but I think I think one of the things I'm looking for when I interview people is um how can they tell a narrative about like regardless of what question they're answering can they can they uh form an argument can they have evidence that backs that up and are they are they communicating to me in a way where I can easily identify like what their main takeaway is yeah what is the what is the key part of their answer that they're trying to tell me um and does their supporting evidence um make a case for that and that tells me a lot about not only how they can communicate but probably how how they can write but most importantly how do they perceive the information in front of them what what skills do they have to identify what the most important things are um what is kind of minutia and then are they able to tell me kind of what the impact of that is and you know we talked earlier about how communicating in that way can be so important today because so much of the security guidance is um often the same right yeah and I think a a very important part of our work is being able to communicate and I think a lot of that gets lost and I think you know you look at a lot of the security trainings that are available today there's not a whole lot um that's available in the realm of like strategic thinking and intelligence analysis and you know communicating to non-technical audiences and I think to the extent that somebody can come off you know really polished um in an interview that just goes so far in this field you know so just practice get get in front of a mirror or you know as you're driving in the car just just practice practice practice talking through those answers but I'll tell you I mean you can come across really sharp if you can if you can just you know get your point across couple ticks of evidence um and I think that really goes a long way. Kirsty you've got the math background and you've done a lot of work
in this field I need to ask you there's this fear again that all encryption is going to be broken very soon like AES is going to die all the rest of it you know because of quantum computer so perhaps you can talk to that you know is it is it true you know do we have to worry about Quantum Computing how's the world going to change when is it going to change again open-ended question. Yeah fantastic so I actually wrote three blogs about this um which I'm sure we can share around why Quantum Computing is like fairy tales so first question is you know is it the emperor's new clothes does it really exist this threat and as far as I remember the quantum Computing threat has always been about 15 years away and it's been like that for the last 30 years so a nice healthy dose of realism here it's not going to happen tomorrow we're going to have quite a bit of lead time up to when it does happen but that's not to say you shouldn't prepare for the possibility of an eventual threat so the advice I always give is in the case that quantum computer exists it will not break um as is not the thing to worry about RSA and Diffie-Hellman public key exchanges those are things to worry about first then signatures why in that order because signatures I care about at the point of verification I don't actually care about that um at Point side so we need to make sure that the exchange that's happening key exchange that is protected so that's the first thing people should prioritize then signatures and then other kind of block ciphers like AES um C so it's not the case even that all encryption has gone it's just a very few parts it um and so yeah when you're making your plan make sure that you are creating an asset inventory so you know what you have to migrate and the order you should migrate in as well think about the data because you need that data to stay secret for a certain amount time lots of data it doesn't matter today that it's not encrypted in a postquantum way in a Quantum safe cryptography it doesn't actually matter because by the time a quantum computer arrives that data is obsolete it's no I'll get de readed them so a data teering strategy is very important um making sure you know your assets is very important and all of this is in the blog but um you know in a hilarious way it's about The Boy Who Cried Quantum Wolf you know the story kept saying it's coming it's coming and then when it did come no one believed him so I think as an industry we have to be quite careful that we're not overhyping with threats either we're not under hyping it either and then the final blog that I wrote was about Goldilocks and how you know her porridge was too hot too cold and there was just right and a just right time to migrate to Quantum cryptography so you don't want to be too fast because you'll be uh you won't be interoperable and possibly you'll be moving to something with a poor implementation something has been robustly tested nor do you want to be too late so that you're vulnerable to the threat you want to make just right um and so the just right time is not yet I think you it still be too soon um and for the large majority of organizations that would be the case there are some very particular use cases where you should be thinking about um moving quite soon um but in any case you should be making an asset inventry it's good security practice anyway if you don't know the assets you have in your organization how can you protect them so that just helps you and additionally help you the quantum to track as well. When you say that we need to prepare for this let's say I want to start now what do I what does that actually mean? So you have to look at all data you've got and decide for how long you want it to remain secret and if the answer is um you know 100 years then okay you should be thinking about it if the answer is you know after a week I delete that data that's probably not your priority for migrating to the quantum threat right if um if an adversary attacks your data that is encrypted with classical cryptography there's this store decrypt there's this store and decrypt system where they have to save off all of your data for a later date to decrypt at a later date when a Quantum is available so it's not an a minor adversary it's quite a sophisticated adversary with lots of resources that would be doing this so think about if you are in that target group if you would be targeted by a large um sophisticated adversary think about the data you have if you need it to remain secret for many many years or if actually you're deleting that data anyway after a week don't migrate that system first right so look at all the data you have think about things that will age off you know if you're replacing that legacy system in the next year don't prioritize that for a Quantum migration so that's what it means it means look at all the things you have the system the data and make an ordered list a priority of migration make sure you know who those data owners are make sure you know who's responsible and once you've got that then start thinking about the types of cryptography you're going to need to move to all of the algorithms that have been standardized have different properties they're larger or smaller key sizes for example and think about what's most appropriate for your use case but today I mean there aren't robust implementations that exist all of these it takes time for the ecosystem to build up we have now the standards from NIST that's quite recent and quite new but we still don't have implementations in protocols for example that's still being developed so we have to think about um what's an appropriate time to migrate and it's not yet you can certainly get yourself prepared and ready. If let's I've got this hard disk that I want to keep uh secret for 20 years cuz it's my um my photo of my cat or whatever but I need to keep it secret do I encrypt that with like like RSA what do what do what do I need to do today is it like for the quantum like change or is it like still like just know what I need to encrypt and then wait? Yeah so if you think um a sophisticated adversary would store your data to then decrypt it at a later date you should now be thinking about the quantum cryptography you would use to protect the key exchange and and make sure whether you're using RSA or Diffie-Hellman that you can change the cryptography being used for that the cryptographic algorithm and use the new postquantum standard. Kirsty do you think Quantum Protocols are coming anytime soon um it it sounds
like you said the 15-year thing? They're already here so technically if you've got a pre-shared key in your um so Iike version one is quantum safe actually so adding a pre-shared key makes you Quantum safe um work has been done in the ITF to prepare protocols for these larger cryptographic um artifacts so bigger key sizes bigger certificates so it's already being worked on in Iike for example they've already published RSA's to deal with message fragmentation and handling larger cryptographic artifacts that come from post post quantum cryptography but um work is ongoing still say in TS group to work out how you can create hybrid in a reliable consistent and secure way and once those structures have been created then the um cryptographic algorithms can be dropped in combined as as needed as a slightly different process on the side but the work is ongoing in the ITF. I'm glad you said that because I mean I think the that you know there's this concern that Quantum is going to break everything that we have today so you're saying that that's not true right some of the stuff's already uh going to be safe against Quantum? Yeah it's being worked on right now anything that or used as a pre-shared key that's actually quality and safe um ironically an Ike version one but now it's been added to other protocols as well is taken out of tabs in exactly this reason so we have um some protections if people are very concerned that they can put in today using a pre-shared key so it's interesting that's not it is postquantum cryptography but it's not using the algorithm and standardized. Some of the stuff you shared now I didn't know and I'm sure a lot of people didn't know um do you have a like a place where we can go to like see like the updates like the IKE thing and you know how it seems like crazy that a pre-shared key can save me from quantum computers that doesn't seem to make sense but you know that's just like me saying random things is there a place we can go where you can actually see you know what's happening? Yeah absolutely so the ITF um has many protocols many groups working on different things so they created one Central Group which is called pquip. The pquip and that's a working group that collates together all of the updates that
are happening across the ITF so there's work ongoing in the co protocol in TLS in IKE where Engineers are working to integrate Quantum structures and make sure that these protocols can support the carrying of quantum artifacts the keys are much larger certificates may much larger so making sure that their protocols can support that and all of those updates they're on and a page we can link GitHub you will see each of the drafts each of the um finished RFC's as well and they're all cataloged there um so it's a really good resource. Yeah I mean that's great because I mean I think the concern is Diffie-Hellman is out the window RSA is out of the window all our pre-shared keys sorry all our public and private keys are out of the window IKE's out of the window but it sounds like that's not that fear is is maybe greater than people you know it's it's maybe just fud really it's it it's already been worked on? Yes yeah it's already been worked on and I mean the next competition or process I can't remember when it started but it was a long time ago and for a long time cryptographers have been thinking about this they've been doing lots of research lots of testing lots of implementation and in the ITF as early as 2019 there was a proposition in the ITF to combine um classical and Quantum cryptography into a sort of hybrid structure so that even if the classical cryptography is broken you are protected by the quantum and vice versa so that was really helpful during this period of transition while the algorithms being tested there's a lot of rigor gone into the process and some uh Quantum algorithms were very famously broken quite publicly quite late in the process but that's the beauty of having this kind of transitional period where people can feel that their data is still secured in either case um and then as we come closer to the kind of now it's been standardized now the protocol work has been done there's a lot still ongoing lots of discussion and a lot of bright people working on it but once the standards exist in the ITF we'll start to see um software libraries um open cell and different open source libraries browsers starting to adopt those new protocols so I think don't panic and definitely don't roll your own don't Implement your own code use these big well understood libraries um and make sure that you are keeping up to date with these um updates and watching the IRTF RFC stream because that's really the place to go from the most up to-date um developments in protocols and content cryptography. So Kirsty does is this like are there real algorithms that exist and can you mention some of them or you know tell us you know because I know RSA I know AES but you know what are these Quantum algorithms what are they called? I know I was just gonna say there they're all named after Star Wars and I only found this out quite late because I'm not a Star Wars fan but originally the there was New Hope back in 2015 If You're a Star Wars fan can you're just not encouraging me so I know that I'm on the right track um and then we have crystals dilithium and crystals kyber so they're the names of two of the algorithms they're now called fits 205 you know it's not not as exciting but when they were going through development um there Sphincs blasts and Falcon and so so far we've had one key encapsulation mechanism standardized and three digital signature algorithms standardized um and they use different underlying um cryptography so RSA is based on large primes and the difficulty of factorizing um when two primes are multiplied together it's very easy but it's very hard to factorize a very large modulus when there two large primes are the only factors that's the underlying hard problem the underlying hard problem um involves a different type of mathematics that is resistant to attack or um it is based cryptography that's what um the key encapsulation mechanism is based on so these different underlying hard problems are incredibly difficult for a Quantum user um and a classical user whereas factorizing a large modulus is takes seconds for a theoretical quantum computer so that's the the difference between the algorithms and the underlying hard problems that they're based on. So Kirsty I've heard quite a bit about Quantum from different experts I'm glad that you've you you've made the point that like don't cry wolf because you know that seems to happen a lot with technologies so just start getting prepared for it so I suppose the the first thing is where can people goes is your blog articles are a great place to start right? Yeah definitely so the three blogs are available on Splunk and they cover if the threat is real if you know that the threat applies to you and how you can decide the right times
2024-10-29