Disobey 2023

A retrospective of major cybersecurity events. A glance in the AI and Cloud crystal ball. Looking inside for industry introspection.

We were eager to attend Disobey after a long hiatus. The pre-published program seemed to offer a nice mix of high and low level presentations.

Mental health and cybersecurity – a match made in hell?

Friday’s keynote by Antti Kurittu focused on the most relevant Finnish cybersecurity incident of the last few years: Vastaamo. However, since the leak has already been examined in the media, it didn’t surface so much in other presentations.

A later presentation by Juho Jauhiainen definitely stood out from the rest. It focused on an individual’s journey in cyber security: how the competitiveness of the industry impacted their mental health and what really matters in the end. This was undoubtedly an eye-opener for many that suffer from the same pressure. It should be noted that while the talk was done from the cybersecurity perspective it also applies to the other areas of IT as well. A huge thanks to Juho and we need more sessions like this!

Another great presentation worth mentioning was held on Friday evening. The presentation was a case study on whether it is possible to pick the Abloy’s “EASY” mechanical lock model, which was released in 2021. While the topic is in itself interesting, what made the presentation awesome was that the presenter Petri Maksimainen (also known as Idanhurja) delivered it in his own personal and positive way. The presentation also slightly touched on cyber security penetration testing and how testers can keep their own morale up by adding encouraging message prompts into their scripts!

Year of the Linu^H^H^H Skynet

Producing high-quality deepfakes is not yet trivial, it requires various resources like (voice) actors, good production values, time, etc. At the moment individuals do not need to worry about being the target of deepfakes, as credible productions require a large amount of available video and audio material of the subject. Nevertheless, the impact of a successful deepfake can be very damaging. Mika Juuti examined deepfakes with scientific precision in their presentation “Deepfakes through the lens of an adversary model”, a definite recommendation!

ChatGPT has been in the news for being an enabling tool for hackers. It was also featured in Disobey, where there was a large amount of hype associated with it. One statement is that it enables cybercrime by working as a malware generator. However, most of the examples spat out by ChatGPT are clearly broken or non-functional, requiring programming and/or hacking experience. Currently, ChatGPT has already been severely limited in its ability to produce exploits or malware.

Adversarial AI was largely only speculated upon with “Attacking AIs fighting defending AIs” so sadly no concrete examples of adversarial AIs weren’t seen. Maybe not surprisingly, there was no mention of methods to protect against AI attacks either.

We are not trying to downplay AI as it will be the most transformative tool of our time. Rather we want to point out that AI is not (yet) the bringer of the cybersecurity apocalypse, but its definitely a thing to keep your eye on.

Get your sh*t together

The term “Shadow API” popped up in a presentation. However, we saw it only as another term for improper asset management. Despite what term one uses, asset management remains an important process, which nowadays should include listing of exposed interfaces, no matter whether those are related to production, testing or some other environment.

In the modern times security is everyone’s business and it should be put into practice in every project, preferably earlier than later. For this purpose, threat modeling is the right process. Threat modeling ensures that project assets are recorded, the architecture is up to date, threats as well as threat actors are charted and responsibilities are assigned for implementing contingency measures.

Cloud stuff

Cloud Security was discussed in multiple presentations. One key takeaway was that attackers are now well-equipped to both find and exploit vulnerabilities in the cloud. Note that this is not proof of inherent insecurity of the cloud but rather of its incorrect usage.

The second takeaway was that your CI/CD environment should be guarded like your life depends on it. Compromising it gives the attacker keys to your kingdom. Attackers know this and are focusing their efforts especially on CI/CD. As always, protective controls are mandatory, but in addition to them detection controls should be implemented to ensure that unusual activity within environments is noticed, which allows fast response and mitigation. Another mitigation practice is to separate environments from each other as well as utilize principles of least privilege and zero trust to minimize the so-called “blast radius” from a possible breach.

See Nick Jones’ presentation Stormy skies: Modern cloud attacks and their countermeasures and Dangers of service as a principal – AWS by Matthew Keogh and Tom Taylor-MacLean.

Hope you found Disobey as entertaining and informative as us, see you there next year!