ISC West Session Preview: Meet the Hackers

ISC West will occur as scheduled March 17-20, 2020. The show is not being canceled or postponed.

Recently, physical cybersecurity has come into full view within the physical security industry. Cyber threats aren’t new to physical – they’ve always been there. Its only now that physical is taking notice.

As industry participants undergo the journey of figuring out what they should do to improve security from attackers, it begs the question “How many physical security professionals actually know any real full-time hackers?”.

On March 19 at ISC West 2020, join Terry Gold, principal analyst at D6 Research, for the SIA Education@ISC session Meet the Hackers: Evil Thoughts and Insightful Discussion. We caught up with him briefly to get a preview.

SIA: How important is this topic?

TG: Immensely. Just starting the cyber journey, and the most frequent comment I hear is “Hackers will do that – or they won’t do that.” I tend to ask if they know any hackers or tend to know they don’t. The hacker community is somewhat closeknit. Look, it’s the same thing as trying to implement defenses against having your bank robbed. You’d want to be able to build a profile of the likely bank rover and understand their methods and patterns so you can make wise choices about your specific countermeasures and resources. Cyber is the same way, except for some reason this industry generally isn’t doing that.

SIA: What gave you this idea?

TG: Well, my background is deep domain expertise in both physical and InfoSec, and about 10 years ago inadvertently ended up in the “hacker” community. Still there, and I never see any physical security professionals in that community, discussions, etc. Security discussions are a lot different there than in our conference rooms, so I wanted to bring that to this audience that likely don’t have access to that community.

SIA: Who’s on the panel, and how did you go about choosing who would be on it?

TG: First, Val Thomas. I started working with her about 10 years ago. We’ve done projects together and also put together training at DEFCON for hackers to learn about exploiting physical systems. So we know each other well and work together great, and she always has great insight.

Second, Joe Luna. Similarly, I’ve known Joe for a while. He’s been hacking since DEFCON didn’t even know it was going to be a big conference. He does really cool stuff, has worked closely with law enforcement to take down bad guys and just lives in that dark space.

Both have the evil genius mindset of looking at the world of how anything and everything could be exploited. Lucky for us, they’re good hackers discovering vulnerabilities and telling customers how to fix it before the bad guys discover it and don’t tell them.

SIA: Can you give us an idea of what will be discussed?

TG: Well, first, we’ll take an entertaining approach. Hackers have THE best stories – trust me. This will be fun. So we’ll bring to light some of the really crazy stuff they see. Through this we’ll illustrate some common themes that apply generally to technology, but since this is a physical security conference, we’ll start to get into those stories that can really illustrate relevance between how hackers view, engage and strategize in the physical domain.

SIA: Can you be more specific?

TG: Sure, I think most people know by now how card are cloned, etc. But they probably don’t know how cards can be exploited without ever even accessing the card itself. How can you get through mantraps, well, multiple ways. I could shut down the whole PACS and not let anyone into buildings – or not let anyone in. I could hijack a reader, even a “secure” one (or one the industry deems as secure). The list goes on. In fact, Val and I are giving a 2-part presentation, Protecting Physical Security Systems From Cyber and Human Threats, this year (in separate sessions) that is focused on just the methods of exploiting the technology). This will be more focused on select topics to illustrate how hackers think, what their end game is, so the audience will be able to think a little more like them and less like what others tell them to.

SIA: Will the audience be able to ask them questions?

TG: Yes. While I want to make sure we get some items on the table for the benefit of the audience in general, people will be able to jump in. It will be my job to make sure we keep moving, but we’ll leave a good 20 minutes at the end to just take new questions form the audience. We’ll also be sticking around after as we understand people may have questions that aren’t really suited for a public audience.

View the full session description here. And learn more about ISC West and register to attend here.