• Save
Security Chasm! HITB 2010 Keynote by Dr. Anton Chuvakin
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Security Chasm! HITB 2010 Keynote by Dr. Anton Chuvakin

  • 1,689 views
Uploaded on

Security Chasm! HITB 2010 Keynote by Dr. Anton Chuvakin...

Security Chasm! HITB 2010 Keynote by Dr. Anton Chuvakin

"Have you often wondered why people are updating their security policies, closing compliance gap and define ISMS while attackers are owning their systems – at the same time? Why consultants advise management on ‘risk tolerance’ while new bots are being deployed on what was formerly known as ‘your network’? Why some say that “DLP is all the rage” while record data losses occur daily?
Reality today often presents a grim vision of “two securities”: one concerned with ‘elevating the infosec conversation’ while the other is concerned with cleaning up the mess on our networks and systems. In one, people pretend to ‘assess risk’ while in the other incident response is the only way to go….

This very concept, that I call “security chasm,” will be the subject of my keynote presentation, along with such questions as “why we wear seatbelts because of the monetary fine, but not because of risk to our lives?” and “What will make us secure?” (and what does it actually mean!)

Finally, I will explore the future of what we now call ‘security industry’ and make a few long term predictions of where we will end up in a few years…."

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,689
On Slideshare
1,673
From Embeds
16
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 16

http://www.linkedin.com 13
https://www.linkedin.com 3

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • First: we are not here to learn how to become PCI compliant!! Keynote = THINK about security and HAVE FUN, not get trained.TODO: Netherlands fine for now wearing seat belt in car (bicycle?)NHTSA study No law - no belt Enforcement + education Belief in likely enforcementIdiosyncrasy (idiocy?)SeatbeltsChance of DEATHLikelyhood of $50 fineNHTSA studyNo law - no beltEnforcement + educationBelief in likely enforcement"Dumb management"PCI instead of securityPCI DSS over IH to live incidentPeople like to accept the risk - of OTHERS
  • Think of #1 as of parallel universes.Have you often wondered …Why people are updating their security policies, closing compliance gap and define ISMS while attackers are owning their systems – at the same time? Why consultants advise management on ‘risk tolerance’ while new bots are being deployed on what was formerly known as ‘your network’? Why some say that “DLP is all the rage” while record data losses occur daily?Reality today often presents a grim vision of “two securities”: one concerned with ‘elevating the infosec conversation’ while the other is concerned with cleaning up the mess on our networks and systems. In one, people pretend to ‘assess risk’ while in the other incident response is the only way to go….
  • NEED PICTURES
  • Note: compliance was NOT part of security conversation AT ALL. To me, that was shocking when I spent time in “compliance-free” environment of Project Honeynet. It rang loud as silence Note: I use “risks” loosely to mean “badness”, not “probability of loss” or “T x V x A / S” kinda thing.NEED PICTURES
  • While many hope for gaussian, in security – counter to intuition! – most people are below average!
  • 2/3 of value in OWN data, ½ is spent protecting it!Forrester report: “Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost,or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data isspilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints.Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data alsoaccrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity.”+ infrastructure to handle either kind of data, business critical processes, etc!!!Consequences"PCI technology" or "PCI industry"Custodian vs owner of dataLaws made you secure 3rd party dataYou are free to screw yourself by losing your dataPCI vs "your risk"Might be protecting CC > your key data!
  • + not have OWN DATA+ not have CUSTODIAN DATA+ removes CUSTODIAN DATA = protects CUSTODIAN DATA!+ protects key business processes
  • First: we are not here to learn how to become PCI compliant!! Best insight into compliance.Link IS established: belt -> less chance of death.Still, only EDUCATION + ENFORCEMENT works.Click it – or ticket! PCI instead of securityPCI DSS over IH to live incidentPeople like to accept the risk - of OTHERS
  • As someone closely involved with PCI DSS, I observed this peculiarity more than a few times.Myth: PCI is too hard …“… too expensive, too complicated, too burdensome, too much for a small business, too many technologies or even unreasonable”Myth: PCI is easy: we just have to “say Yes” on SAQ and “get scanned”“What do we need to do - get a scan and answer some questions?”Reality: Not exactly - you need to:a) Get a scan – and then resolve the vulnerabilities foundb) Do all the things that the questions refer to – and prove itc) Keep doing a) and b) forever!
  • Some think that this is the fundamental debate of today.PCI panels – see video (shmoocon, Bsides, next at DEFCON)It is not.Security chasm is the real underlying debate. Talking up security vs doing it!
  • OR: Every time you think “Compliance OR security,” god kills a kitten!Profit = not ROI scam, but how to benefit from the fact that PCI exists.HACKER QSASecurity first, compliance as a resultCompliance as motivation, security as actionPhilosophyDo you agree with "laws against stupid?"Tenuous connection of controls/practices vs outcomesCompliance is "easy", security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?"We might get hacked, but we will get audited"Age of irresponsibility' entitlementANTI-COMPLIANCE"Checklist mentality""Teaching for the test""Whack-an-auditor" gameInduction of "mandate=ceiling" thinkingNarrow focus on mandated controlsNo focus on controls effective for you!Lack of innovationSlow speed of mandate changesDifference in assessment qualityExtra diligence of post-breach assessmentTotal disconnection of compliance from security$0.71/month scansCompliance spending misaligned with riskUnhappy with compliance? Never did ANY security"PCI compliance has not been “operationalized” by 95 percent of merchants"
  • Some think that this is the fundamental debate of today.It is not.Security chasm is the real underlying debate. Talking up security vs doing it!
  • Same: compliant while ownedGRC implemented without regard to security controls! (did happen!)(TODO: see blog post!!)
  • A few years ago, I was curious and asking all my F1000 security friend – how many owned boxes they have? How do they know?Now it is pointless… All F1000 and G2000 have owned boxes. Why bother people about it? CSO says “he won’t buy netwitness since he does not need to know where the owned boxes are”!! He’d then have to fix them.Now: business ran today -> security worked. No need to rock the boat!
  • Told a friend “why should I use a compromised PC for banking?”He took offense.I simply realized that I followed my general principle that all PCs are owned….
  • PAPER assessmentLABELS? “Talking up” security VS Doing security“Smart” Security“Stupid” SecurityRisk (to the extent understood … which is often not much)Compliance, “doing the minimum checklist”Monitoring for attacks“Nobody wants to hack us”Application securityNetwork securityFirewalls, SSL, AV, IDS/IPS, WAF, SIEM, DLP, DAM, etcFirewalls, SSL, AVVisibility (striving for it) – know control is impossibleControl (failing with it)  - afraid of visibilityWant to know how secure they areAfraid to know – but want to just “be secure”PhilosophyDo you agree with "laws against stupid?"Tenuous connection of controls/practices vs outcomesCompliance is "easy", security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?"We might get hacked, but we will get audited"Age of irresponsibility' entitlementANTI-COMPLIANCE"Checklist mentality""Teaching for the test""Whack-an-auditor" gameInduction of "mandate=ceiling" thinkingNarrow focus on mandated controlsNo focus on controls effective for you!Lack of innovationSlow speed of mandate changesDifference in assessment qualityExtra diligence of post-breach assessmentTotal disconnection of compliance from security$0.71/month scansCompliance spending misaligned with riskUnhappy with compliance? Never did ANY security"PCI compliance has not been “operationalized” by 95 percent of merchants"
  • Reactive -> responsive
  • Longer term: slow trend toward chasm closureSome from the 1st camp will call it “aligning security and business”, but it is not.2020http://chuvakin.blogspot.com/search/label/2020
  • Some stuff just can’t be 0wned …not all the timeSecurity Predictions 2020 (!)How impossible is it to predict anything in the field of information security? 10 years? Into the future?  Still the purpose of this endeavor is not necessarily to “have everything right”, but to have fun in the process and to get people to think beyond the immediate tactical horizon in information security.Let's start from the overriding trend that will define the rest of the discussion:That trend is that the walls between the computer world (aka the Internet, cyber-anything, online, virtual, cloud, etc) and the “real” world (aka meatspace, Earth, “outside”, “reality”, offline, etc) will break down beyond a certain interesting point, both on the perceptual level and in reality. With – duh! – huge implications to our profession and practice of information security.What do I mean by this?Whether perception is reality on not, studies I’ve seen (examples, more, more, more) point that most people behave differently in an online world and in the so-called “real” world. People can also point at many factual differences between online world (that happens inside the human created medium – networked devices) and the outside. I believe that this difference explains at least some of the current information security problems – on some deep level people just don’t see computer intrusions and other issues as “real enough” for them.  Even the simple fact that we have “crime” and “cybercrime,” points that this difference.So here is the punch line: I think that in the next 10 years these two worlds will be much closer to each other, in both perception and “real” reality. HUGE implications to information security will result.Where's the evidence? Here are all the things that I bundle in that “ultimate convergence”Everything geo-related: GPS in phones, location- aware services, and even integrated Internet in cars. When you start to “google for coffee,” you straddle both worlds.Augmented reality, conspicuous high-speed video uploads (in 2020) and video analytics capture the real world and ”map” it onto the online world. And as computing devices first become wearable (needed for AR), and then implantable (best for AR), the convergence between both worlds will become even more intense.Everything computing embedded in objects: embedded computers in an ever-increasing percentage of the things we use in the real world; these will go a long way from the first Internet-connected refrigerator. Yes, clothes and shoes, not just sunglasses, are not far behind – and with bluetooth or whatever future incarnation, such wearable “PAN” becomes within reach. BTW, trains and planes run on computers too… And I am not even touching SCADA.Everything robotics: robots, from Roomba to military hardware, is one more way for a computer realm to “act out” in reality. If you are confused about this argument, think about the following: a crashed computer will destroy only a computer and information inside. A crashed computer in a vacuum cleaning robot can potentially destroy … your carpet.  A crashed computer in a robotic high-speed cannon… you get the picture.On a perceptual level, some studies have noted that younger generations (and here) do not draw the line between their Facebook friends and their real-world friends.  This is an example of the same trend, but occurring in the mighty realm of perception. If you are born and then grow up with (and on) the computer, you views of “computer world” will be different from those who still see computers as something “not really real.”On top of this, advances in bio-sciences will obviously rely on computers and algorithms. I predict this would be another way for the computer realm to impact the “meatspace” and not only through the implantable computers.Finally, the Ultimate Proof that such convergence has in fact taken place will be - you guessed it right! – cyber-terrorism. Smart folks today object to the concept of cyber-terrorism by [correctly!] stating that “real world” terrorism is more impactful. Today – it sure seems like it. In 10 years, when “real world”  is so much closer to the “computer world” – I am just not going to bet on it…All of the above will make information security and computer security (as well as a dying art of network security) PAINFULLY more relevant for people’s lives. If an attacker from a remote location can crash the computer and steal your data, this is bad. If that same attacker can impact what you perceive to be your “real world,” the game changes. And change it will - probably even before 2020. What will stand between such attacker and others? That’d be you and me, my dear reader :-)The above convergence will also be combined with these “side trends”, all with big impact to security:In 2020, a lot of tasks can only be done with computers - or not at all. Now we can still buy a book in a bookstore, you can pay with a credit card when computers are down. Forget that – in 2020! Such irreplaceability of computers and Internet will make security sharply more relevant. Your business will not simply switch to an old, inefficient mode, when Internet is not an available. It will STOP.To quote Alvin Toffler, there will also be a lot more information and thus a lot more computers to process it. These are added to the above mentioned embedded computing devices.  The result is not just an increased target set, but also more businesses being completely reliant on computers for their operation.I also predict a much larger use of non-deterministic algorithms, such as those based on statistical methods. This will imbue the phrase “computer did it” (and we don't know why and how) with a whole new meaning…Complete local and network scope convergence due to cloud computing and ubiquitous connectivity. They will be no such thing as a device asking “can I connect to the Internet?” As a result, Internet becomes a fabric of distributed applications, not client/server push/pull model we still largely have today.  Security implications? You bet! BTW, this will also kill the whole “but why did they connect that to the Internet in the first place?!” thinking.As a result of the last point, the whole control over data will have to be done in a completely new way - or not at all. And if you think web hacking is fun today, just wait until 2020 :-) So, I don’t know what features your log management system will have in 2020 or what the label “firewall” will mean in 2020, but I know is that it'll matter much, much more than now. Despite all the harping about information being “critical for business”, we only protect information today.  Sorry for a bit of grandstanding here, but we will literally protect the world in 2020…Enjoy!
  • (*) we are kinda doing it now 
  • http://taosecurity.blogspot.com/2010/03/ge-cirt-joins-first.html

Transcript

  • 1. Security Chasm!
    Dr. Anton Chuvakin
    Security Warrior Consulting
    www.securitywarriorconsulting.com
    Hack in The Box
    Amsterdam, The Netherlands
    July 2010
  • 2. Why Are We Here?
    Risk of DEATH vsRisk of $60 fine?
  • 3. Outline
    WTH is “security”?
    How we got here?
    Security and/or/=/vsCompliance?
    Security vs security?
    Does what we do for security actually … improve security?
    Where it is all going?
    What can YOU do today?
  • 4. For ADD Folks: Main Theme
    There are “two security” realities: one conceptual and fuzzy + another painfully real. And a chasm between them!
    This is not good – for security and for businesses!
    What can we do about it?
  • 5. Brief History First….
    1950-1985 Stick Age: Security = door lock
    1985-1990 Stone Age: Security = anti-virus
    1990-2000 Bronze Age: Security = firewall
    2000-2005 Iron Age: Security = IDS/IPS
    2005-2010 Modern Age: Security = appsec
    2010+ Cloud Age: Security =
    But this is technology only…?
  • 6. OK, How About This View?
    1950-1985 Stick Age: Local risks
    1985-1990 Stone Age: Computer risks
    1990-2000 Bronze Age: Network risks
    2000-2010 Iron Age: Regulatory risks
    2005-2010 Modern Age: Cybercrime risks
    2010+ Cloud Age: All-of-the-above risks? 
    Gross oversimplifcation, of course 
  • 7. So, what are we doing?Aka “What is Security?”
    Protecting the data
    Defending the network
    Guarding the IT environment
    Reducing “risk” (what risk?)
    Yes, but really …
    We ensure that organization runs and wins!
  • 8. Leaders vs Losers
  • 9. …and what if they still don’t?
    Then some regulatory body would come and beat them up ….
    … and they’d continue to stay 0wned, of course 
  • 10. Drilldown into “Compliancy”
  • 11. Where Compliance Fears to Tread
  • 12. Observations…
  • 13. Compliance Is…
    Risk of DEATH vs Risk of $60 fine?
    DOT study on seatbelts:
    Compliance = (Awareness + Enforcement) / Security Benefit
  • 14. Chasm Emerges!
  • 15. Compliance Mystery Solved!!
    Compliance is the “floor” of security
    And a motivator to DO IT!
    However, many prefer to treat it as a “ceiling”
    Result: breaches, 0wnage, mayhem!
  • 16. Compliance vs Security
    X
  • 17. How To “Profit” From Compliance?
    Everything you do for compliance, MUST have security benefit for your organization!
    Examples: log management, IDS/IPS, IdM, application security , etc
  • 18. Back to Chasm…
    Compliance is NOT the reason for a chasm, but it made it …
    MORE VISIBLE!
  • 19. SIDE 1: Consultant Comes In…
    Talks to senior management
    Scopes a “risk assessment” project
    Start talking to “stakeholders”
    Reading policies …
    …never touches “metal”
    Comes up with RISKS!
    Are we secure now?
    Security can be as dumb as compliance…
  • 20. SIDE 2: Intrusion Tolerance …
    … aka Running an Owned Business.
    Why it is [seen as] OK?
    Non-critical assets affected
    Non-critical C-I-A dimension affected
    Assets operate while affected
    Other priorities override
  • 21. Moreover: Assumed 0wnage!
    Desktops: banks now assume that online banking client PC is owned
    If I see a PC now, I assume it is 0wned! 
    Web applications: not even “luck based strategy”, but “lazy attacker strategy”
    Static HTML is OK, of course 
    If we cede desktop and web, where DO we fight?
    What is the new line of battle?
  • 22. Chasm?
  • 23. Chasm!!
    SIDE 1
    • “Aligning strategy”
    • 24. Writing policies
    • 25. Talking risk and doing assessments
    • 26. Compliance vs security
    • 27. Inputs
    • 28. Try for “proactive” and fail
    SIDE 2
    • Gathering metrics
    • 29. Responding to issues
    • 30. Figuring out risks and implementing controls
    • 31. Keep the business running
    • 32. Output -> inputs
    • 33. Focus on responsive
  • Related Security Mini-Chasms
    Proactive vs reactive
    Risk vs diligence
    Policy vs technology
    Inputs vs outputs security
    Micro and macro security
  • 34. What Does Future Hold?
    More regulation to compel the laggards
    More threats to challenge the leaders
    Less chance to do “intrusion tolerance”
    And - of course! – more clouds 
    Longer term:
    slow trend toward chasm closure
    However….
  • 35. Security 2020?
    Added dimension to spice things up...
    In 2020, security FAIL might mean you DIE!
  • 36. Conclusions: How To Bridge The Chasm?
    Is intrusion tolerance the only way?
    “Titanic DID have compartments”
    Use compliance to drive security – not whine about it
    NEVER conceptualize without doing! (*)
    Chasm exists – but you can start closing it at your organization by always connecting mission with “metal”
  • 37. Action Item!
    NOW LET’S ALL GO PRACTICE INCIDENT RESPONSE!!!
  • 38. Questions?
    Dr. Anton Chuvakin
    Security Warrior Consulting
    Email:anton@chuvakin.org
    Site:http://www.chuvakin.org
    Blog:http://www.securitywarrior.org
    Twitter:@anton_chuvakin
    Consulting:http://www.securitywarriorconsulting.com
  • 39. More on Anton
    Now: independent consultant
    Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
    Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
    Standard developer: CEE, CVSS, OVAL, etc
    Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
    Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
  • 40. Security Warrior Consulting Services
    Logging and log management strategy, procedures and practices
    Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
    Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
    Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
    Help integrate logging tools and processes into IT and business operations
    SIEM and log management content development
    Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
    Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
    More at www.SecurityWarriorConsulting.com
  • 41. Want a PCI DSS Book?
    “PCI Compliance” by Anton Chuvakin and Branden Williams
    Useful reference for merchants, vendors – and everybody else
    Released December 2009!