BSides London 2021 BSides London 2021
Join event to build your agenda.

Reflections on trusting Zero Trust (or why I have zero trust in Zero Trust)

- GMT
Track 2

Tim Brown joined Cisco as part of their acquisition of Portcullis for whom he worked for almost 12 years. He is equally happy performing white box assessments with access to source code or where necessary diving into proprietary binaries and protocols using reverse engineering methodologies. Tim has contributed to a number of Cisco’s bespoke methodologies covering subjects as diverse as risk and compliance, secure development and host hardening. Tim has looked at targets as varied as risk, mainframes, MPLS, power stations, cars, banking middleware and devops as well as supporting Cisco's SOC and incident response capability. Outside of the customer driven realm of information assurance, Tim is also a prolific researcher with papers on UNIX, KDE, Vista, Active Directory and web application security to his name. Tim is credited with almost 150 vulnerability advisories covering both kernel and userland, remote and local. Most recently Tim spoke to the ATT&CK community on some of his use of ATT&CK for data science and threat hunting research. Tim particularly like to bug hunt enterprise UNIX solutions.


This one was inspired by a conversation with a friend who red teams for a well known consultancy… I have a vendor hat, I will remove said hat for this presentation. The purpose of this talk is to take a ""neutral"" look at Zero Trust in the wild and dissect what market analysts promise vs the realities of implementing it. This talk looks at:

 * Technical debt that often gets inherited along the way

 * Control gaps we lose as we dash headlong into the cloud and how we might replace them

 * New weaknesses that Zero Trust implementations bring by virtue of how “Zero Trust” software sometimes works

 I'll go into the catalogue of vulnerabilities and weaknesses that I've been building surrounding Zero Trust technologies and make some observations about where we might do better.