#BSidesSF: Keynote: Slack CISO Reflects on a Decade of Mayhem and Gives Checklist Advice in Its Wake

At BSides San Francisco, Larkin Ryder, the interim CISO at Slack, delivered a keynote based on a decade of retrospection, reflection, and prediction.

Ryder broke down her observations on the past ten years of cybersecurity into the following notable categories: malware, data breaches, vulnerabilities, and privacy. “Over the past decade, malware went critical,” she observed, calling out Stuxnet, WannaCry, and NotPetya as the most notable.

Her journey of reflection then moved on to data breaches, of which she called Yahoo! “one of my favorite breaches” due to the story of prosecution and conviction. She then referenced the Adult Friend Finder and Ashley Madison breaches as breaches with a different motive. “These breaches were about hackers making a moral judgement, and [the abstraction of] a different type of very personal information,” she noted. “Then there was Target,” which brought to light vendor risk management and made it a critical issue. “We need to establish trust with all our vendors because vendor risk management is so much more critical now than it was in 2010.”

The last decade, said Ryder, saw “vulnerabilities earning names.” The most notorious of those names were Heartbleed (2014), Meltdown and Spectre (2018), and EternalBlue (2017).

Impact

Taking the decade of malware, data breaches, and vulnerabilities into account, Ryder considered the impact it has had and what has changed as a result. Interest and awareness about cybersecurity is perhaps the biggest consequence, she said. In the Global Risks Report 2020, cybersecurity featured twice in the list of top 10 global risks: Cyberattacks on infrastructure came in at number five, and cyber-attacks involving theft of money or data came in at number eight.

In the “Global Risks Report 2020,” cybersecurity featured twice in the list of top 10 global risks

The past decade has also witnessed evolution in the way that information security professionals do their jobs, with cloud, privacy, and the proliferation of mobile devices responsible for the biggest changes.

On the topic of privacy, Ryder cited privacy regulation as one of the “good things to happen in the past decade.” Privacy regulation, she said, referencing GDPR and the CCPA, has been “both significant and positive.”

“I don’t make predictions, but if I did, these are the trends I would expect to see next,” said Ryder, somewhat ironically. “The Internet of Things will go viral, malware will learn by machine, and SCADA will come crashing down,” she predicted.

Checklists and Advice

Ryder compiled a list that she referred to as a “Checklist of the impossible.” It includes advice that she considers sensible, yet admits that she knows is near to impossible to follow:

• Stay patched.
• Don’t click on (suspicious) links.
• Never open untrusted email attachments.
• Do not download from untrusted websites.

The following checklist items, she said, are “less impossible” to follow:

• Avoid inserting unknown USBs.
• Use VPN over public Wi-fi.
• Back up your data.

In light of how difficult this checklist might be, Ryder has formed another list of advice, which she considers “simplified advice that is essential for all new users that you are on-boarding”:

• If you see something, say something (trust your instincts and report anything that seems worrying or out of the ordinary).
• Use what I gave you (don’t sign up for or download anything unauthorized).
• Customer data is off limits.
• If you don’t understand why I’m creating this friction for you, ask me (I can rationalize or explain why certain rules are in place).

Ryder referred to the “infinite bag of risk” that she and her peers face. It can feel overwhelming, and it can seem insurmountable, but “the key is not to try and boil the ocean,” she advised. “You have to start somewhere, so work out what normal looks like and bring in a red team to test your security,” she advised.

“Recognize the burden that you are facing and bound your efforts,” and finally, she concluded, “lean on our community to share concerns, worries, and advice at events like these.”