VOTING VILLAGE - Defending Election Security: A National Security Priority

Video thumbnail (Frame 0) Video thumbnail (Frame 1753) Video thumbnail (Frame 9690) Video thumbnail (Frame 17627) Video thumbnail (Frame 28326) Video thumbnail (Frame 38950) Video thumbnail (Frame 40873) Video thumbnail (Frame 43154) Video thumbnail (Frame 56224) Video thumbnail (Frame 62200)
Video in TIB AV-Portal: VOTING VILLAGE - Defending Election Security: A National Security Priority

Formal Metadata

VOTING VILLAGE - Defending Election Security: A National Security Priority
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Performance appraisal Ocean current Cybersex Domain name Service (economics) Internet service provider Operator (mathematics) Information security Computer programming Field (computer science) Local ring
Sensitivity analysis State of matter Direction (geometry) System administrator Archaeological field survey Sheaf (mathematics) Set (mathematics) Port scanner Water vapor IP address Computer programming Direct numerical simulation Bit rate Information security Vulnerability (computing) Control system Physical system Cybersex Electronic mailing list Hecke operator Bit Web application Arithmetic mean Configuration space Normal (geometry) Right angle Remote procedure call Resultant Ramification Service (economics) Firewall (computing) Virtual machine Regular graph Twitter Internetworking Operator (mathematics) Authorization Energy level Software testing Computer-assisted translation Firmware Computer architecture Domain name Dependent and independent variables Focus (optics) Validity (statistics) Information Consistency Planning Database Incidence algebra Exploit (computer security) Performance appraisal File Transfer Protocol Voting Algebraic closure Software Chief information officer Local ring Window
Point (geometry) Statistics Server (computing) Service (economics) Open source State of matter Multiplication sign Virtual machine Port scanner Twitter Number Attribute grammar Revision control Web 2.0 Optical disc drive Sign (mathematics) Causality Different (Kate Ryan album) Phishing Operating system Energy level Traffic reporting Information security Perimeter Form (programming) Vulnerability (computing) Default (computer science) Email Theory of relativity Counting Denial-of-service attack Process (computing) Vector space Software Personal digital assistant Telecommunication Chain Right angle Quicksort Musical ensemble Resultant Computer worm
State observer Group action Statistics Patch (Unix) System administrator Multiplication sign Coroutine Virtual machine 1 (number) Water vapor Mereology 2 (number) Neuroinformatik Usability Spreadsheet Goodness of fit Mathematics Different (Kate Ryan album) Average Cuboid Information security Vulnerability (computing) Physical system Domain name Cybersex Default (computer science) Enterprise architecture Boss Corporation Email Dependent and independent variables Scaling (geometry) Information Weight Electronic mailing list Database Line (geometry) Entire function Curvature Message passing Data management Process (computing) Password Speech synthesis Website Right angle Procedural programming Local ring
Cybersex Trail Patch (Unix) Virtual machine Mereology Computer programming Word Process (computing) Algebraic closure Bit rate Software Personal digital assistant Internet service provider Energy level Right angle Software testing Traffic reporting Vulnerability (computing) Physical system
Point (geometry) Service (economics) Open source State of matter Multiplication sign System administrator Virtual machine 1 (number) Online help Mereology Code Event horizon IP address Number Expected value Mathematics Cuboid Office suite Traffic reporting Information security Form (programming) Social class Cybersex Information Block (periodic table) Surface Forcing (mathematics) Physical law Bit 3 (number) Database Antivirus software Data mining Process (computing) Personal digital assistant Self-organization Right angle Local ring
Group action State of matter Firewall (computing) System administrator Virtual machine Set (mathematics) Image registration Mathematics Very-high-bit-rate digital subscriber line Different (Kate Ryan album) Hacker (term) Oval Cuboid Information security Physical system Dependent and independent variables Email Shared memory Database Price index Incidence algebra Directory service Cryptography Data mining Process (computing) Software Telecommunication Order (biology) Self-organization Right angle Musical ensemble Asynchronous Transfer Mode
it's my privilege and honor to reduce two gentlemen from Homeland Security first we have Rob Harris Robertson director the national cybersecurity assessments and technical services and Katz department at DHS in his current role as director he manages the endcaps team and provides service security services to federal agencies state local tribal and territorial governments he was responsible for creating and I didn't find new services and developing the MCATs program even the civilian government's leading services security services provider prior to joining DHS he worked in the private sector for 12 years developing security operations we also have Jason Hill who's the red team lead at DHS also a tank at so Jason joined DHS in 2013 to help create the nation's red team he has 24 years of information security field experience and 20 years in the Army National Guard within the cyber security domain he serves as the deputy chief of the national cybersecurity assessments I want to get endcaps risk evaluation team and as the chief of the red team conducting red team assessments for the federal government customers
prior to Homeland Security he served as the right team instructor to military and federal government employees I think I've probably said enough so with that Rob all right well thanks for having us here and thanks for showing up this is my 12th or 13th year here I don't know but it reminds me of one of my first years when we used to sit at the on the floor back at the electric park and we used to drink and it's nice and informal and casual so I'm gonna give you a over overview of what MCATs is the services that we do Jason's gonna go down and do a technical dive into it and then I'm gonna give you guys some election results that we've found from the customers so what do we do a tank at we do assessments and what our assessments cyber assessments we have three main main programs under under my end cats first is called cyber high and that you could think of it as scanning devices on the Internet so departments agencies come to us um we have three main actually when we go back we have three main constituents we have the federal government that we work with we have state and local governments which are so many and then we have private sector so elections fall under either state and local or private sectors and then cyber hygiene is a vulnerability scanning on the internet so we have right now 835 customers that we persistently scan so if we find a vulnerability on a customer we're going back and scanning that machine daily to see what closure rate is so we believe in not just identifying the vulnerability but then identifying what a customer does with that with that vulnerability and with that notification so doesn't mean oh good to find a vulnerability and say hey your window is open and for you never to shut it so I tell you your windows open how long does it take you to shut the windows does it take you a day an hour five days we had a huge problem in the federal government where it was taking over 300 days for people to close critical vulnerabilities we issued what's called a binding operational directive and now the closure rate on the critical vulnerabilities is about approximately twelve and a half days so it's a big win we want to do that with state and local and the private sector but we don't have the authority right we can we can push them we could nudge them we can say stomp up and down and say you know this is an issue but we don't have the authority we have the authority over on the on the federal side because we're federal government the risk and vulnerability side is basically we have a risk evaluation program and there's three services under there and Jason will go deeper into these about give you guys a higher level so we have the risk and vulnerability assessment which is a two-week pen test basically any of those three constituents federal government state and local government or private sector can come to us and ask requests for one will give them a week where we try to break in from the outside and then we'll go a week on side and act as trusted insiders or insiders and try to break in into their systems under that we also have true red team capability which Jason's built out he could go into that a little bit but that's that's more on the federal federal side that we offer it and we have a remote pen test capability where we just test from the outside the third program that we have is operational assurance and that's kind of more like the the if you think of a blue team and stuff they're they're out asking questions going out and getting surveys and providing guidance based on that you know do you guys have an incident response plan and going through that they do a validated architecture design review where they get pcap data and then they look at your architecture and and look at it and say oh well you have a firewall here and I have pcap data why is data flowing from your financial portion of your company over to this other portion and so they work with that under that we just built out and this is election focused but it's going to be all control system focus applied vulnerability assessments or or Ava and that's where vendors can come to us and give us their election systems or control system and we'll set it up and we'll follow their documentation for setting up as a standard set up and then look at it and try to tear it apart and try to right team it and test it and see what we can do we've take the firmware off and see if there's any any issues in the firmware and then any other issues inside the system so on cyber hygiene we have five hundred ninety five customers oh one thing I didn't talk about was why we do this in the legal documentation that goes along with this everything we do has legal documentation so we're just not going out there and scanning for the heck of it so there's eight hundred and thirty customers they've signed and agreed for us to scan them and why we do it and what we get from it is is invaluable right so we have a consistent data set on this so we can see trends so we can see trends whether it's in the financial section its the election sex or whatever sector it is Jason you want to go into detail what a risk and vulnerability assessment is you guys hear me okay one of the things that Rob
didn't say about those services is that they're all voluntary so we don't show up to people's doors and say hey we're doing this kind of thing but I think that's kind of important to put out but but go along with the the r-va service that we provide it's a two-week penetration test or who have my pen testers in here besides the guys that work for us so a penetration test we're gonna try to show the customer everything we can find from a vulnerability standpoint within the timeframe that we have right so traditionally a penetration test is we're running scanners I'm running nmap I'm trying to find all the IPS I can find in the given scope that they've given me I'm trying to run a vulnerability scanner against those IPS to try and find that low-hanging fruit the the things that necess or NEX pose is going to tell me that's there and then once I have that information I'm gonna I'm gonna try to validate any of those vulnerabilities right and then after that if there's any web applications we're gonna throw some scanners at them and there's any databases we're gonna throw some scanners at them right so what how does that differentiate us from a normal traditional penetration test that stuff is all great it's a little bit it's a little bit traditional sometimes it's a little bit boring to just kick off a scanner and let it run so so we add a little bit of value to that for our customers so we do we do do all of that right and then we validate everything but then we take it to the next level we try to give our customers what it looks like to be to be hacked essentially right what it looks like to be attacked I can give those results of the scanners to to the customers and and tell them hey you just had a penetration test here you go good luck and leave but that doesn't really mean anything if I'm if I'm telling the the CIO and the CSO or or some official that hey you're Nessus canner came back with 13 criticals and you've got to clean that up that's not really helping right and so we take it the next step and and and we try to emulate some sort of an adversary so what we'll do is once we get all those results from our scanners we'll try to hit the low-hanging fruit but but really what we're doing is trying to get a foothold somewhere it's really distracting try to get a foothold somewhere within that network whether it's through phishing whether it's through an external Miss configuration or an exploitation or a vulnerability that we can throw an exploit at we try to gain a foothold we try to privilege escalate laterally move throughout the network try to get domain administrator in their network move around and find what we call sensitive business systems right so when we're all done if I go to if I go to the the president of the the credit union or the president of the Water Company or The Electric Company I tell them hey I got domain administrator in your network why do you guys in here knows what that means right like that's bad but when we tell them they're like I don't I don't know what that is that's not really helping me so we try to go after what we would think to them is a sensitive business system something that's gonna either have them explaining what happened to either Congress or explaining what happened in front of cameras or explaining what happened to them to their shareholders those are the kinds of things that we're going after whether that's PII or proprietary information their network once we find that stuff when we out briefed them we explain to them exactly what we did to our technical guys that are that our customers we say hey this is exactly what did from from from gaining a foothold to privilege escalation to lateral movement we did all of these things and this is exactly how we did them and here's our write-up on that and here's how you clean all of that up to our executive level folks are c-level folks we explained to them it doesn't matter what I did I got in I gave all that stuff to your technical folks they're gonna go off and fix it this is the ramifications of what just happened to you for the last two weeks we've been inside of your network I got access to your your crown jewels and I was able to look at all that stuff or essentially exfil it out and take it and and I don't know what that means to you but I'm trying to show what that means to you so it's essentially what our our VA service is I'm not sure if I missed anything about and yeah and one of the things that they do is is when they do exfil the data they test various ways right so we just don't expel it one way so they'll try it over DNS they'll try it over HTTP HTTP FTP and they'll give them a list and say hey you guys are good here you guys are good here but you're not good here so what statistics and and what can we learn from that so there's a mention that we have eight hundred and something customers under cyber hygiene of those ninety-eight are actually election officials or election related so what data can we conclude and look at it with with 98 customers a lot so a lot of the vulnerabilities that we see on cyber hygiene are actually the four out of four out of the top five vulnerabilities are the same from our broad base 800 customers so that to the 98 customer so election officials or election networks are basically look like regular business networks so there's nothing really really daunting there but if you guys want the top 5 vulnerabilities that we we know of there
[Music] 20 years ago I didn't so iis 6.0 is unsupported PHP is unsupported they're running a PHP on supported version we detected a UNIX operating system that's unsupported there was a MS 15:03 for vulnerability and HTTP so what does that mean so it's a denial of service on a web server right so yeah we're seeing that that's one of our top five not only in the election but among all of our customers so it's easy I don't know if you guys use Metasploit or tool but I mean it's really easy to denial of service these machines most of them are probably default iis servers or but we don't dig into it we just cyber hygiene just strictly runs vulnerability scanners and finds the statistics but the one one the the top five that's not in there that separates the elections from the others is Microsoft Exchange Server is unsupported version still unsupported version but we're seeing all these unsupported versions under there so we're trying to work with them trying to work with them and get them to yeah and it goes back I mean I don't know if you guys were just in this last talk but you know the a lot of money just came down to the to the states and the local communities I don't remember what the gentleman said but it was about 350 million or so you know and then he talked about resources now having the resources do it so you what he says our data backs up right so there's unsupported devices that are people aren't fixing or updating and this just gives an attack or a vector either to to cause havoc or cause doubt in people's mind you know so okay you denial of service a machine doesn't really affect anything but it makes people think and wonder well if they could do that what else can they do let's see on the risk and vulnerability assessments so we've done 30 of these on election related officials and we've done them from small counties to hugest cities in America to States and actually to a couple private private sector people and the results are pretty similar to what we're finding on on on the red team side you want to walk them through the the number one way we get in so through a phishing and then escalate hey we can't talk about customers so goes back to yeah yeah yeah yeah pretty pretty good odds but the important thing is you know well we do sign leave agreements and we do put out and we're gonna work on putting out like non attributable statistics based on this and reports so you can see what we're talking about we have some past reports they're not elections too specific but their overall but the trends just the the important thing is and and I'm gonna save it to the end and Jason's gonna chug his fireball there and wonder what I when I talk about it but um there's there's one one difference between the elections and and everybody else but we'll get it we don't want to spoil it right now so talk about fishing and get there so all of you in the room help us out every time we send a phishing email so so I'm sure all of you in here know or familiar with phishing and it's pretty much our number one way of getting in so throughout all of our assessments that Rob spoke about the RBA's the Red Team portion the the rpts the remote pentesting there's a common theme and that's fishing some of our assessments we will work with our customers and and come up with a common theme or an email to break in and we'll count up all the people who who clicked on it or opened it and gave us coms back and then we'll give them those stats and one of our services we work we work closely with with the with the customers in a manner that we try to build a rapport with them right so I'm going to send an email out to it to a customer I'm gonna do some open source research on them and find out that they're supposed to interact with the with the public right they have some sort of public relations duty they're expecting forms they're expecting documents so we're gonna work with them we're gonna talk to them and say hey you know I saw your the your the point of contact for this can you help me out I've got this document got some questions on and we don't send them anything we're just we're just sending them this initial email so they'll they'll do their job right that's what we're expecting them to do now we respond back to this with yeah sure send it over we send over a document and for us it's our document as our payload it's our way back it's our comms it's our c2 channel and we do that for one of two reasons one if we never hear back from them something caught it and ate it right or they left or they're on vacation or something but so if we never hear back from them either something went wrong at the user level or something went wrong at the network level with the security level for the email and then we'll we can send another email hey did you ever get my document yeah they look at either tell us yes or no and then we know where the issues are in that chain once we figure it out and they're like yeah I got your document I clicked on it but nothing happened because that's a that's exactly what we wanted to do is nothing to happen and then once they write back to us and say hey nothing happened and we have our communication channel then we'll turn around and close that loop and we'll actually send them the doc they were waiting on and then we'd do that for one or two reasons one it makes them less suspicious right so if I give them what they're actually asking for they they feel good they did their job everything's great we have our communications channel we keep it moving they keep it moving they did a job well done but two in case we get burned out of there that is a point of contact that we can use in the future hey John Orr hey Sally remember me I've got another document can you help me out and they will tend to help us out in that manner but honestly sometimes we have customers that get wrapped around the axle on who clicks on the emails and how many emails were clicked on and I and I try to tell folks long gone are the days of stopping people at the per amp at the perimeter right so so we've kind of got that pretty close to shored up right now it's more of how do we stop how do we identify that there's someone there and how do we slow them down long enough to catch them and do something about it so so we try not to have people harp on who clicked on their email so that's about email so so our number one vector whether it's non-election or its affection is phishing getting getting in in through fishing we don't have detailed stats we have a fit x-ray I totally bypass it I don't know why we have a whole phishing campaign assessment that people can can sign up for we just rolled it out to the
election officials a few months ago so we don't have to too many too much stats on it but I will tell you I believe that they're gonna be in line with with our overall stats and and this is mind-boggling so by the time Jason sends out an email or somebody on the team sends out an email it takes 13 minutes for somebody to click on it so that's that's our first presence so you know Jason sends it at one 113 on average he he gets a reply in and on so but for that person to respond to the shock anybody want to take a guess on how long it takes them three hours three hours so yeah 30 days three hours but by the the amount of damage that Jason can do in that in a three hours is significant in amazing so he could pivot to other other computers get domain admin get enterprise admin exfill the data and be gone in 60 minutes gone in 60 minutes 60 seconds it was 42 minutes from the time we save the email for the time we got da entire net more emails so so right so our are using these data-driven stats were we need to educate the users to report it right if you see something say something it's a DHS ogen so we'll carry it on to them but I mean it's all seriousness and and I mean it's not to be ashamed to to click on email I mean or phishing I mean it's gonna happen or you're just not sure um yeah I've done it I've been caught by a skimmer at a 7-eleven before so don't make me but you know it happens I mean you know I've been in security for 25 years so but you you know you do something you take remediation actions and you take care of it so the other so the top top two in the risk and vulnerability assessment deal with phishing the next three issues that are consistent across non election and election are our patch management we have a issue with that once once we're on site we see that there's issue with patching add admin password reuse so we see admin password somewhere we're gonna see it somewhere else whether it's on from a local machine to a database to somewhere else you want to talk about any examples on that sure yeah so so there's this thing in the working world where people have to work right so sometimes security gets in the way right it's it's there's this scale of usability versus security right so I've been an admin before I've been a domain admin before and I've had people come to me and like I need this to work and I don't really care about that security part and then when the boss comes the CEO or the general comes and says yeah I don't care about that either make it work and you and you have to make things work you run into stuff like admin password reuse where we're I'm sure if any of you guys here are an IT and any of you are admins you know that you're not supposed to use your admin account as your daily account you're not supposed to check email under that account you're not supposed to do normal day-to-day routines under that account but when someone needs a password change you're supposed to log out of that log back into your other guy and then and then do those things well some people I don't wanna use the word lazy but automated or efficient they want to be efficient so they tend to use that same username and password to do all of the things that there's they're not really supposed to be doing so we run into that quite a bit and in the final final yeah a lot of people do it so the final thing is insecure default configurations so we're seeing that just everywhere I mean it's it's it's not a election issue it's not an on election issue it's just a person people issue that's that's that's what our data is driving us to so I think one of the good things is if there is a good thing you know elections have heightened the alert in the knowledge in the general populace that there are security issues and people are taking it more serious so the the you know it sucks that you know it has to come to this but people aren't going to change until it directly affects them and now it's affecting the the election community which directly affects you know America the population so if that's what it takes unfortunately to change I think on one hand it's a good thing on on second hand I don't think it's a good thing but we've been preaching a lot of the same things in the security community for the past 20-30 years I I'm sure I could pull out one of my speeches that I did in 90s and give it here and it'd still be relevant you know change your password and do this but we just got a hammer hammer it down and get people to really take this these things serious and and actually get them the resources so that they can handle this and they can they can do it so I mean if you have a list of 50 things to do and each thing takes 70 hours how many things are you gonna do in a year you're not going to accomplish much so all right so our top observations and all work work bass Bob backwards to the top one poor password usage so we're seeing default passwords everywhere we're seeing weak passwords everywhere so so yeah it's really bad and when someone's like yeah and he'll see it right on the desktop you know they'll take a screenshot of it and it'll be a spreadsheet or something and just say passwords you open it up and there it is so no get keep gatekeeper or any any key pass or whatever it's just flat text box [Laughter] all right here it is the top observation so the main difference though so everything that we've talked about has been consistent between election systems and in non election systems the one thing that we've been noticing and this is honest on the cyber hygiene side is the time to mitigate so we've been scanning these 98 well so we're scanning 98 election officials and some have come on like two years ago three years ago some of come on as recently as a month ago but the time to mitigate so I see vulnerabilities in these systems for hundreds of days I don't mind the low one so I don't mind the information when it's fine it's informational but I'm seeing high and critical ones and they're just not getting they're not getting fixed as rapidly as as the ones that are in in the financial community in the water community and in other communities so when I went online all the communities up election the election community ranks at last in time to mitigate so if that's one thing that I can say and I can emphasize for the state and local and these private sector companies to do is really put in some kind of a process in and procedure to fix these and and we're not talking but
most of them are easy fixes it's just getting the resources and getting the processes in place so we did it in the federal government assistant secretary Maura was here earlier and talked about how there's ninety nine agencies and their huge some agencies are huge some have four or five people but we got and we changed their culture right to get on these and change the or patch the critical is within 30 days so we want to get the word out to the electrical it's all the communities but especially the election community because we're here to actually patch patch those vulnerabilities so we're sending out reports one thing I didn't mention how cyber hygiene works and in from a high level so conceptually so you guys could see it so we scan a we scan a machine or we scan a scan and network and we find a device that's that's vulnerable with scan the the critical in the machine has a critical vulnerability on it we'll scan that machine twice a day to see if anybody's closed it it has a high vulnerability we will scan it once a day as a medium will scan it twice a week and a low vulnerability will scan it once it once a week so we're really trying to track closure rate and we feel that if we can really push and push the people to to close the vulnerabilities it's a big win for us so with that said you got anything else we'll open it up to questions I'll be very loud how's
that yeah okay so when you work on election systems are you right now doing any pen testing of machines or is it all the networks for the election food providers all right so I did mention we have this applied vulnerability assessment program that we're just standing up so we do have one election system up in house and we just we accompany you actually donate it to us and said hey we want you and we're getting more and more election companies coming to us and saying yeah DHS helped us identify some vulnerabilities make us make us better make us make us stronger so right now we're getting through the the first pilot and we're we have it set up and we're gonna take the firmware part and we're gonna diagnose it in and do do a nice write-up on it we have several other vendors wanting to do it so and we're building up the resources to to be able to do that so it's something that we're gonna build up later this year in the next year and for the 2020 election yeah
it's published well and I don't know how many times Jason Jason will call me and he brought hasn't done it from the election side but he's done it from the banking side and he's like Rob I'm sitting here with the CISO I'm like oh really I didn't know they had a cyst so he's like well he's really what their loan officer officer so we're seeing that in in the smaller smaller communities too in the election election facilities the bigger companies like Cook County and in LA they they have a little bit more resources but it's a tough battle um you know the they just tell people go get this cert and then they do their day job and their day job isn't anything to do with security I think as as time goes on that'll change but we're not there yet I just like to add on to that real quick so so Rob mentioned the small banks where the guys the VP plus the IT guy right so so those things are double-edged swords those guys like you mentioned they don't they don't really have a handle on security however what I'm finding is is that the the smaller organizations that we go to the last one I was at was seventy people strong elections place and everything that we found as we were going along they were able to mitigate fix block and we retested before we left so that's a little bit of the beauty of the smaller organizations as opposed to the big ones I was at a fortune really high number and their their siz Oh was on the phone with me and he's asking me Jason how do I sit had a local admin problem there 45 percent this is after forty five percent of their their workforce still had local admin on their machines and this is after they had this this campaign to get that reduced from a hundred percent and and trust me when I say they were global and so he asked me how do you how do we fix this how do i how do I get people to not be local admins and I looked at him and you're this is oh I I wouldn't write a policy and tell them to stop doing it and then turn it off I I don't know you know how to do it and I and so the point to that is other than a joke the point of that is is that the smaller organizations even though they don't have a well-honed security force or folks there to help them along or to be proactive when they do find a problem they do find an issue it's usually mitigated before we leave the bigger organizations excuse me the bigger organizations we'll go back to year after year and we'll find some of the same holes that were there the year past which just means that that four hours it took to breach the network and take over now is down to two hours or one hour because we have all the information from the last time so yes [Laughter] yeah so that's that's intelinet to dip division but as far as I know III haven't seen any reports where anything was altered so I haven't seen any of that so yeah so I mean I mean so what we do is I mean we do assessments right and and I could talk about all my data and and all the data that we do and all oh I guess one of the first things I should have said all of our stuff that we do is unclassified so you know we do have clearances but the guys that we bring on don't have clearances and and the customers that we don't do because when we're going to state and local governments and private sectors they don't have clearances so one of the first things when I came and started this in 2010 I said it's it's gonna be unclassified everything that we do and since 2010 since day one it's been unclassified so dealing in that arena we don't have any any idea but just think Jason's successful ninety nine percent ninety ninety six point three percent of the time just with using open-source and unclassified tools and and his knowledge and and knowing what he does he they get stuck every once awhile but then they they write some scripts and do some coding to do some evasive maneuvers over antivirus and other stuff but everything we do is on the own class so as far as classified stuff I couldn't tell you yes oh yeah so two ways on the cyber hygiene side they define it they we have a form that they fill out and they say these are our public IPs and this is what you're allowed to scan if they have a third party vendor that they use they have to get an agreement with them and then they provide us the IP but they they provide us the targets in the scopes on the r-va side we have like a pre-assessment questionnaire that we go through and I'll let Jason talk about that just one thing I wanted to point out is again the surface is voluntary so if an organization comes us and they they give us a scope and it's pretty locked down I mean we'll ask for more if we can if it helps do what we think they need to look at we will but ultimately the customer has the final say in that we work real close with our points we call POCs our point to contact or a trusted age and so on the scope that they give us the amount of information that we get in our RV aids it's a it's a white box I guess so so everyone knows what's going on and and both parties want you know really if we lose they win if we win they win so everybody wants to - you know our goal is to defend the nation right I mean I live here you guys live here we want this place to be secure I want to keep whoever once our data and whatever they want to do with it I have no idea but but we want to keep it secure so to answer your question that the scope is pretty much dictated by the customer and will help them along if they're if they're kind of lost or they need our help well let me add one thing to it so sometimes customers do come in with unrealistic expectations so like DHS came to us so we consider DHS a customer even though we work for DHS so they came to us and they said well during this two-week event we want you to test TSA when we test us see I asked women to test CBP we need to test the Secret Service they're like wait a minute there's only four guys so that's what Jason does he talks to him and says what what's really critical what do we want to test so we set expectations elections in elections we kind of know what what's critical and they know what's critical
right they're trying to to save those data bases full of PII right all of our data in this room right if you're if you're registered to vote we're trying to save that data so for them we kind of know what it is and what to go after I'm really when it comes down to is did they give us that information to get or are they leaving it up to us to find so yeah and then in other cases where the customer like you said that we're leaving it up to them to tell us what they already know or what they think they know that's where we'll work with them and talk to them about what it is they're trying to protect and and what kind of coach I mean we've been doing this for so long that we kind of coach them along until you know it's beneficial for everybody so so we have resources right we have so many people that work for us the county is free to go out to show down and find that information also it's free you found it in a matter of minutes right so you know we work with willing customers right so if a state quarter comes to us and says they want to sign it up for our services we'll do more than just find what's on the show dad so you know we're just not resourced there to to protect you know there's over if you count cities and counties and states I mean there's over 10,000 different entities and we're just not resourced to do that if DHHS gives me the resources and can tax payer pays for it I'm more than happy to build that service into mine but that's not part of our service right now but I still yeah all right yeah all right you know a government official Derek they're a citizen right so did you see the United States of America we're different from a lot of other countries in the world they're not forcing the government to do something for that County even though it makes sense I'm not gonna argue with you that it makes complete sense that we should be protecting everyone but they have to but they have to request it yeah write your Congressman yeah change the law okay so so just real quick I know
this is a small room but but what the gentleman is asking is if people are segmenting their network properly how has that given us trouble right paraphrasing so so I did a critical infrastructure organization and they were segments into the hill segmented off their ICS portion through three sets of firewalls three different segments however in order to make things work and in order to have the least amount of admins throughout that network the only hole they open in the firewall was the hole to allow communication between the Active Directory servers so that they could replicate right and so we rode those channels through three or four different security devices until we hit the SCADA systems so the answer is if it's done properly which I'm not really sure we've seen yet let me take let me rephrase that it has done it properly well yeah well sure yeah so there's one let's turn it off but actually there's one election state that actually did it right so they had segment states they had it segmented so much that their registration database was offline and to update and make changes to the database it was a manual process you had to walk from one room to another so we're trying to get them to write up some papers and share with the other states and share their best practices so so it gets gets there so that was one of 50 that's pretty easy we'd sent Emma email now so within within the egg kick there's several other groups there's a hunting incident response team that we work with that is almost a sister organization to us we would work with the customer and tell them of the evidence that we we found or identified and we'd ask them if they want to get our sister organization the hunt and incident response team in to come in house and to actually identify that and then not only find that one target but then other other machines that had indications of compromise on it so so stop me if I go too far but we've actually we actually have a very good example of that we just had that happen two or three weeks ago right face yeah so so one of our high speed guys is here his hacker handles face home he for those of you that know what the ATM a team is he actually ran into a system when we got on it there was evidence of compromised turns out they were still on that box crypto mining I believe and so we handled that with a customer we definitely have a protocol for that we everything stops comes to a halt we contact those folks and we put them in contact with the with the people that Rob just mentioned yep and send them an email all right thank you [Music] [Applause]