Our Thoughts on GrrCON 2018

Earlier this month, Worksighted sent team members to attend the well known GrrCON Hacker Conference. GrrCON is an annual event that gathers hackers and IT security professionals from all across the country to come together and learn more about their passion. This includes a handful of presentations from security and hacking experts, along with hands-on activities that test your own ability to hack. With some time to digest all the content, we asked our team to review their notes and share some thoughts on this year’s event. Here’s what they had to say…

Mike Remick, vCIO: “I recently attended my first “real” InfoSec Hackers Conference, GrrCon, at the Devos Place in Grand Rapids. Sure, I have attended vendor-based security conferences in the past but I have never attended a conference where I was warned by former-attendees, fellow conference goers and hackers themselves of the following:

  • All traffic is monitored, no network (even with VPN or Tor) is secure
  • All data traffic on mobile devices is insecure & 4G is easy to sniff
  • All power outlets might be transmitting more than power or tampered with to damage equipment
  • Not to bring electronics that had any controlled or secret data, and most importantly…
  • ALL things are “HACKABLE” – straight from the Hackers themselves

WiFi off, Bluetooth off, data off….A few of my own observations while at the event: Hackers don’t always make the best presenters, they are not well-versed in PowerPoint, generally reading their slides word for word. This being said, I heard some great talks, I had some great discussions with some of the Country’s best hackers and left the conference terrified of IoT and autonomous vehicle hacking.

I want to focus on the items that I thought were relevant to the MSP (Managed Services Provider) space and SMB’s from the breakout sessions I attended.

As an MSP, we have to educate our clients that security has to be of utmost importance. Crime-as-a-service is real and we have to offer our clients a greater level of service and protection in the security threat space. As such, the importance of Vulnerability Assessment Lifecycle’s, Patch Management, Endpoint Logs, SIEM & SOC are just a few ways we can step in and reduce the risk of breaches to our clients by nearly 70%. Without these tools, most organizations do not detect threats in their environments for more than 190 days and it takes them roughly 65 days to contain and another 45 days to remediate fully. Ultimately it takes nearly a full year to recover from a breach not to mention the financial impact and the “Reputational Capital.”

Tools are great but more importantly, we have to continue the educational process with our clients and prospects. The human element is the cause of nearly 90% of all breaches through phishing attacks and if we arm users with knowledge and the aforementioned tools, we can reduce attacks by nearly 95%. Organizations should realize that no matter how much money they invest in intrusion detection and prevention, it will not actually help if an employee clicks on a simple phishing email.

Finally, and the most important take away from the conference: We need to view every opportunity, every discussion, every meeting and talking point with our clients as a security opportunity. As we moved from a PC-Era to Internet-Era and on to the Experience-Era, we need to be more service-minded to drive security conversations and become a hammer and not a nail as it relates to the education of our client base.

If anyone would like to learn more about the conference, please do not hesitate to ask and I would be happy to discuss.”

Rick Elder, Project Engineer: “As with many conference presentations, there is the good, the bad, and the ugly.  In my opinion, some of the best presentations this year at GrrCon were centered around social engineering and community which equates to you being a wolf in sheep’s clothing. Attempting to get someone to run an application by convincing them you are someone else, or by selectively targeting a company, or more specifically targeting one person inside a corporation. This can be done a number of ways, one such way is via a spear phishing attack, which is just like the phishing attacks that KnowBe4 tests with, however it is more targeted to a specific user.  In order to perform this type of attack, a great deal of intel and information gathering must be done prior using social media, this can be done using the Open Source Intelligence Techniques (OSINT) method which helps gather the information.

In one session, the presenter had an agreement (so he had a get out of jail free card) to breach a bank. He made a phone call to a bank employee (which turned out to be VP of the bank) and made a pretext of “fixing” known email issues (he played the actual recording of his phone calls).  He was able to get the user to install the malware, and obtain credentials. The next day he stopped into the bank to “see how things were going”, at this time he installed more “malware” on each of the office PCs in order to fix the rest of the email issues of course. He also made sure to take a picture of himself in the vault with cash. The following day after he made himself known, the team at the bank were understandably dumbfounded.  It was a learning moment for all.

The idea of community was brought up a number of times across a few different presentations.  The workforce community has the heavy task to flag things that “don’t seem right”.  People often bash the user for clicking on a phishing email, however, is it really the user’s fault?  Where is the training?  Is the company backing the user? Is the CEO publicly invested in security? In many workplaces, IT security gets addressed every 6-12 months and that’s good enough for the compliance requirements.  This should be the minimum, I believe security should be constantly analyzed, and a CEO must lead with this direction for all, the alternative is that employees express “IT security is not my department” even though it directly affects every department in every organization.  The goal of having as many people aware and knowledgeable of potential attacks is that in addition to the IPS (Intrusion Prevention System) on the firewall. It is just as important to build a human IPS system of employees working together to sound the alarm and spread accurate information to others not to click, and to inform their IT department of the incident.

In order to reach this goal, data must be collected.  Who is clicking the data from the test phishing emails? Is a specific department clicking more than other departments? What type of phish is most successful and therefore getting the majority of clicks? Once a user clicks, are they given an immediate personal teaching moment?  Or does the user just receive a brief email that says “don’t click”?  Are users getting something that is personal, meaningful and impactful?  One possible way to implement this meaningful approach is to create a contest that goes something like this: Who can send the most in without clicking on it, like a bounty system?  This approach could help create a better working environment for the end user to the IT security department, and will hopefully open up the communication avenue if anything is discovered.  It could also shine a positive light on IT security and its importance in the workplace, so that companies are focusing on it often, and not just during an incident when a user has caused millions of dollars of loss from an actual breach.

There was geeky fun hacker stuff there also, some built into Windows! Want to jump on my wireless AP?”

If our team didn’t make it clear enough from their reviews, it can be pretty scary to see how vulnerable businesses are to getting hacked. If you’re unsure about your company’s security or have questions/comments on the event, drop us a line, we’d be happy to talk.