20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline...which sometimes has a seat at the table. This talk explores what we're doing wrong, why it's ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!

1. Bad Advice
Unintended Consequences
and
Broken Paradigms:
Think and
Steve Werby
RVAs3c 2014
ActDifferent
1

2. Insanity
 Insanity [noun] in-ˈsa-nə-tē: Doing the same thing over and over again
and getting and expecting different results1
 s/Insanity/Information Security
21 Despite popular belief, there is no evidence that this was written or spoken by Albert Einstein

3. We’re Doing it Wrong
 Security == 0 || Security == 1
 Focus on vulnerabilities
 Think in terms of worst-case scenarios
 Serve as an obstacle
 Don't demonstrate value
 Point fingers
3

4. What Do You Mean By “We”?
He's talking
about me!
65%
I can relate to
some of this.
20%
Not me
[I'm delusional].
13%
My house
is in order!
2%
4

5. But Blame is Shared
How can we align with org’s objectives?
What do you think we should do?
What’s our risk for scenario I read
about?
Should we address this?
How can we prevent this in the future?
How did you let this happen!?
5

6. Who am I?
 I am not a rock star
6

7. Who am I?
 I am not a rock star
 I am not a guru
7

8. Who am I?
 I am not a rock star
 I am not a guru
 I am not a thought leader1
8
1 I am not belittlingly Chris Eng (pictured). I am a fan of the video he created, “How to Become an Information Security
Thought Leader”. https://www.youtube.com/watch?v=Pc64xWxRsag

9. Rules and Guidelines
9
Please hold questions until the end. I’ll also be
available after the talk.
It’s OK to laugh. Information security is tough
if you keep everything bottled up.
Constructive and unconstructive feedback welcome
at @stevewerby. And don’t forget hashtag #rvasec.

10. Disclaimer, Disavowal, and Renunciation
 These are not necessarily the views of
• My employer
• You
• Anyone else or anything else in the universe
 If your feelings are easily hurt by being told you've been doing it wrong,
consider leaving
• But you'll miss some ways of doing it better
 This disclaimer/disavowal/renunciation is retroactive to the Unix Epoch
• And is subject to change without notice
10

11. Bad Advice
11

12. Bad Advice
12

13. Bad Advice – Passwords
 Use unique passwords, memorize them, and change them regularly
 Bad
• Unique isn't actually what we want
• We don't really care if they memorize them
• Change them every 42 days
- Reason no longer applicable (offline brute force defense)
- Research doesn't even support that it's effective
13

14. Rules and Guidelines
14
Make it difficult and they will find a workaround!
Challenge the status quo!

15. Unintended Consequences
15

16. Unintended Consequences – Passwords
 Get entered into wrong system
 Ignore “requirements” and don't make them unique
 Write them down insecurely
 Unique, but other password give clues about this password
 Change regularly leads to (n+1)th similar to nth
16

17. Rules and Guidelines
17
Implement practical, palatable solutions!
Focus on outcomes!

18. Bad Advice – Long, Technical Policy
 Too looooooooooooooooooooooooooooooog
 Legal is happy, you may be happy
• Serves as a CYA and a violation lever
 Many never even consider reading it…but if they do
• Not easy to comprehend
• Impossible for users to retain
 Doesn’t consider impact on those affected
18

19. Rules and Guidelines
19
Challenge the status quo!
Build relationships and establish credibility!

20. Broken Paradigms
20

21. Broken Paradigm – Passwords, FW, OS Patching, AV
21
Passwords Firewalls
OS Patching Antivirus

22. 22
? ?
? ?
Broken Paradigm – Passwords, FW, OS Patching, AV

23. Broken Paradigm – CIA Model
 Should be AIC
 Masquerades as a holistic security model, but is a limited model that
focuses entirely on information
 Parkerian Hexad better
• Adds possession, authenticity, availability
23

24. Werbian Quintet
Level 1
• Utility
• Availability
Level 2
• Integrity
Level 3
• Confidentiality/Possession
• Authenticity
24

25. Rules and Guidelines
25
Align with business needs!

26. Broken Paradigm – Vulnerability-Centric
 Unlocked, 20-year old, empty beaten up car in middle of full parking lot
 Unlocked house with $10MM in diamonds in the middle of the desert and
only 1 person knows it’s there
26

27. Rules and Guidelines
27
A vulnerability without an impact is not a risk!
A vulnerability without a threat is not a risk!

28. What Information Security Is (Allegedly)
 Information security is the practice of defending information against
unauthorized access, use, disclosure, modification, or destruction
28

29. What Information Security Is (Really)
 Information security is the defense of information and IT systems in
alignment with stakeholders' direction for addressing risk and
opportunities
29

30. What Information Security Is (Really)
 Information security is the defense of information and IT systems in
alignment with stakeholders' direction for addressing risk and
opportunities
 Breaking it Down
• What information do we have?
• What IT systems use it?
• Who are stakeholders?
• What are our risks?
• What are our opportunities?
30

31. Focus – From Chaos to Disorder
Phase 1
• Org mission and vision
• Org goals and success factors
Phase 2
• Essential business processes
• Secondary business processes
Phase 3
• Information
• IT systems
Phase 4
• Risks
• Opportunities
31

32. Rules and Guidelines
32
Start simple and enhance later!
Align with business needs!

33. What Risk Is
 R = Threat * Vulnerability * Impact
 R = Likelihood * Impact
• Can be range of impact/likelihood scenarios
• Likelihood of threat exploit vulnerability
resulting in impact
33

34. 34

35. Risk Appetite[1 of 2]
35
 Expressing risk appetite
• Boundary on impact/likelihood grid
• Descriptive
- 99.9% manufacturing system uptime
- No social media account abuse
- No audit findings
• Maximum annual $ loss (bottom quartile
for industry)
 Can vary
• Across business units (R&D vs. marketing)
• By scenario (PII vs. IP, individual records vs. bulk loss)

36. Risk Appetite[2 of 2]
Level 1
• Infosec
Level 2
• IT leadership and IT support aligned with LOB
• Others who may have insights, even if lack authoritative knowledge
Level 3
• LOB management
• LOB leadership
Level 4
• Risk steering committee
• Enterprise leadership team or board
36

37. Rules and Guidelines
37
Take advantage of opportunities!

38.  Tool for infosec
 Adequate for explaining to stakeholders, though they care about impact
and likelihood, not threats and vulnerabilities
 Inefficient and illogical way of identifying risk though
Threat Model to Assess Risk[1 of 3]
38
Chart is a modified version of a chart in the OWASP Top 10 – 2013
(http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf)

39.  If likelihood of impact < acceptable, stop
 If likelihood of all threat actors < acceptable, stop
Threat Model to Assess Risk[2 of 3]
39

40.  Iteration 1 – Impact, threat actor, vulnerability and controls, attack vector
 Iteration 2 – Threat actor likelihood, likelihood of targeting vulnerability
(prevalence, discovery), attack vector likelihood (skills, resources)
 Iteration 3 – Determine risk
Threat Model to Assess Risk[3 of 3]
40

41. Assessing Risk
41
 Compare risk with risk appetite
 Make decisions based on comparison
• And cost/benefit analysis, constraints, and priorities
 Stakeholders
• Involve in process to the degree you can (worst case, inform)
 If risk < acceptable then accept residual risk
 Otherwise reduce, transfer (insure or contract/outsource), avoid (eliminate
situation or activity), ignore (head in sand)
 Use output to define current state, future state, and gaps

42. Rules and Guidelines
42
Start simple and enhance later!
Align with business needs!
Communicate current state, future state, and
gaps!

43. Broken Paradigm – Blinky Lights
 We neglect our existing blinky light technologies
• Functionality not enabled (functionality we aren’t even aware of)
 We neglect the data that is all around us
• Lots of chatty devices
• Many non-traditional sources
- Internal and external
- Electronic and non-electronic (including human)
43

44. Rules and Guidelines
44
Give people and processes appropriate
attention!
Maximize utilization of available resources!

45. Comparison of Controls
45
 We fail at this because we don’t align with business needs or the way the
business considers alternatives

46. Comparison of Risk Reduction Alternatives
Level 1
• Confidence in alternative (yours and theirs)
• Impact – risks and opportunities
Level 2
• User friction
• Management friction
Level 3
• Implementation and management burden, complexity, and timeframe
• Cost and cost avoidance
46

47. 47
Passwords Firewalls
OS Patching Antivirus
Broken Paradigm – Passwords, FW, OS Patching, AV

48. 48
One Time Passwords Anomaly Detection
Remove Java Malware Sandboxing
Broken Paradigm – Passwords, FW, OS Patching, AV

49. Comparing Controls
Control Confidence Risk Reduct User Friction Imp Burden Mgmt Burden Cost
Passwords 2 3 4 1 4 5
Firewalls 1 2 1 3 4 5
OS Patching 3 1 3 3 3 2
Antivirus 2 1 4 4 2 2
49
Control Confidence Risk Reduct User Friction Imp Burden Mgmt Burden Cost
OTP 4 4 4 2 2 2
Anomaly
Detection
2 3 3 5 5 5
Mitigate Java 5 5 1 2 1 1
Malware
Sandbox
3 3 2 2 3 3

50. [Think|Act] The Approach
 Focus on business needs, desired outcomes, capabilities
 Ask yourself and others lots of questions
 Challenge assumptions and recognize that needs, risks, and capabilities
evolve
50

51. [Think|Act] Different – Suggestions
51

52. Ask Yourself Questions
 Direction
• How much risk are data owners and function owners willing to accept?
• Am I meeting stakeholders’ expectations?
 Capabilities and outcomes
• How quickly are we containing incidents compared to a year ago?
• If the source and destination of an attack are within our data center, do we have
visibility?
• Is our manual effort to provide malware samples to our AV provider resulting in
subsequent blocking in our environment?
 Risk
• What percentage of critical vulnerabilities in our environment are exploited in the
wild before we remediate them?
• What if someone stole a laptop from an employee while he was using it?
52

53. [Think|Act] Different – Start *Somewhere*
 Where
• Easiest? Highest value? With person who raises hand? Opportunity arises?
• May not be your call
 Be prepared
• Incident in your environment
• Incident elsewhere
• Inquiry from stakeholder
 Crawl, walk, run – gain experience and learn lessons
53

54. [Think|Act] Different – Go Against the Grain
 Get a Mac campaigns from 2006 to 2009
 Higher the penetration of a technology or tool, the more likely it will be
targeted
• If you use tools with high penetration
- How quickly can your use of it be discovered?
- Do you have compensating controls?
- How quickly can you remediate vulnerabilities?
 Consider technologies, tools, and configurations that reduce exploitation
likelihood
54

55. [Think|Act] Different – Leave Echo Chamber
 Smart people in infosec, but <1% of workers
 Lots of smart people and great ideas elsewhere
 Regardless, your stakeholders should be determining what to protect, how
much, and sharing constraints and opportunities to align with
55

56. [Think|Act] Different – Leave Echo Chamber
56

57. Rules and Guidelines
57
Look outside of the echo chamber!

58. [Think|Act] Different – Security Awareness
 Define high-priority outcomes and focus on them
• Knowing what an incident is and what to do
 Make it personal and relevant – awareness of risk and influence behavior
• Password reuse can put our IP at risk and put your finances and private
communications at risk
• Loss of competitive advantage, loss of money, disclosure of private info
58

59. Rules and Guidelines
59
People don’t care about your data and systems!
Make it personal!
Your employees’ personal lives are not out of
scope to your adversaries!
Measure what matters!

60. [Think|Act] Different – Cloud and Mobile
 Remember how you felt about…
• workstation Internet access? laptops? public facing B2B web apps? thumb
drives? Bluetooth headsets? Skype?
This is kind of like that.
It’s coming.
You can’t stop it.
You shouldn’t stop it.
Better to ask “How might we enable the business and manage the risks?”
60

61. Rules and Guidelines
61
Do not say “You can’t” until you’ve asked “How
might we?”!

62. [Think|Act] Different – Applying It
62

63. [Think|Act] Different – Challenge Status Quo
 Ask why
• Why did we implement these controls?
• Have the risks changed?
• Have the controls changed?
• Have the requirements and assumptions changed?
• How might we do this better?
 Do this before you say “no”
63

64. [Think|Act] Different – Metrics
 Metrics should
• Describe outcomes, capabilities, or progress towards target state
• Answer questions or allow you to formulate new questions
• Be meaningful and actionable
 Not a metric
• Average days to patch vulnerability
• Number of people who opened communication about phishing
 Is a metric
• % of critical vulns patched after threshold, median days above threshold
• % responding to phishing emails broken down by whether or not read it
64

65. Rules and Guidelines
65
Measure what matters!

66. [Think|Act] Different – Signal vs Noise [1 of 2]
66
Noise
 Port scans from external source
 Horizontal brute force attacks
 Commodity attacks attempting to
leverage vulns which do not
appear in our environment
Signal
 Port scans from internal sources
 Diagonal brute force attacks
 Authentication attack ending in
successful login
 Authentication attempt, followed by
login, followed by abnormal action
 Atypical (or abnormal number of) file
accesses or downloads from content
repository

67. [Think|Act] Different – Signal vs Noise [2 of 2]
67

68. Rules and Guidelines
68
Understand your environment!

69. [Think|Act] Different – Equal Treatment
 Some people are riskier
• Based on system/data access
• Role/visibility
• Security hygiene
• Disgruntled/disciplined/separating
• Internet presence
 It’s OK to treat them differently
• Different training
• Different detective and preventive controls
• If a systems’ users are higher risk, so is the system (inherited risk)
69

70. 70

71. [Think|Act] Different – Be the Adversary
 Your adversary likely doesn’t need an APT, so focus on commodity attack
vectors and exploits
 Your adversary doesn’t care that your public website in your DMZ (that’s
not quite the DMZ you thought) contains no sensitive data – he’ll consume
the local credentials and pivot his way throughout your soft gooey center
 Your adversary doesn’t care that CVSS rated 3 vulnerabilities in the same
system as 6s which was below your remediation threshold – three 6s
bundled in a $20 exploit kit are more of a risk than a theoretical 10 with no
known exploits in the wild
 The Chinese threat – your Chinese supplier may be an adversary; visits to
China could be dangerous but keep that in perspective
71

72. [Think|Act] Different – Password Composition
 Make it looooooooooooooooooooooooooooooog
 Disallow passwords utilizing common topologies1
 Require a Unicode character (~110,000 encoded)
721 KoreLogic Security Blog: Pathwell Topologies (https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies)

73. [Think|Act] Different – Measurement
 Measure security awareness – or it's not worth it. And an easy m/c quiz
immediately after watching training isn't the way.
 Select small # of people, ask them about knowledge of risk or desired behavior
 Train users
 Wait a month
 Select small # of people, ask them about knowledge of risk or desired behavior
 Don’t worry about statistical significance
 Walk your environment
 Unattended logged in computers, passwords in plain site, doors propped open, 2FA tokens
unattended, personal computers connected to network
 Talk to people – don’t have a game plan, just see what you can learn and teach
73

74. Rules and Guidelines
74
Understand your environment!
Build relationships and establish credibility!
Give people and processes appropriate
attention!

75. Fallacies
75

76. Fallacy – Security Through Obscurity
 Shouldn't be only control
 Valid approach as part of a group of controls
 Often highly effective against opportunistic attacks
• Can be effective against subset of targeted attacks
76

77. Fallacy – We Can’t Switch From IE
 Alleged reason – we have software that’s only compatible with it
 Install an alternate browser
• Only use IE for those web apps
• Install Chrome or Firefox with IE Tab extension
• Switch to alternate browser when attacks in the wild or in your environment
77

78. Fallacy – We Can’t Switch From IE
 Alleged reason – we have software that’s only compatible with it
 Install an alternate browser
• Only use IE for those web apps
• Install Chrome or Firefox with IE Tab extension
• Switch to alternate browser when attacks in the wild or in your environment
78

79. Fallacy – We Can’t Move to Prevent Mode
 Measure, analyze
 Use statistics to establish appropriate thresholds
 Table-top or simulate prevention
 Don’t try to boil the ocean (IPS, DLP, WAF, EMET, etc.)
 Present a well-thought out plan comparing current, near-term, and future
controls analysis
 Demonstrate success
 Repeat
 Build credibility
79

80. 80

81. 81

82. Fallacy – Best Practices
 Best Practice [adjective] ˈbest [noun] ˈprak-təs: Something that is done
regularly by so many people it acquires this designation, regardless of
effectiveness
82

83. Rules and Guidelines
83
Best practices are a unicorn! There’s only what
works and what doesn’t.

84. Fallacy – It’s Our Job To Say It’s Secure
 Security is a spectrum
 And depends on risk appetite
 Besides, remember what you said about…
• Full Disk Encryption?
• Salted MD5 passwords?
• SSL?
• TLS?
• 2-factor authentication?
• TrueCrypt?
84

85. Rules and Guidelines
85
Never say “It’s secure.” Say “The risk is low” or
“The risk is acceptable.”

86. Fallacy – Users are not Idiots and Fixing Stupid
 If users are idiots we are idiots too
 We often don’t eat our own dog food
 There are plenty of things we do that appear to be poor risk decisions to
subject matter experts from other fields
 Not everyone’s behavior can be changed, but we can do a lot better job of
influencing it
86

87. Big Takeaways
 Question “best practices” and challenge the status quo
 Beware of unintended consequences
 Bust broken paradigms
 Think and act different
87

88. Rules
88
Make it difficult and they will find a workaround!
A vulnerability without an impact is not a risk!
A vulnerability without a threat is not a risk!
Start simple and enhance later!
People don’t care about your data and systems! Make it personal!
Your employees’ personal lives are not out of scope to your adversaries!
Do not say “You can’t” until you’ve asked “How might we?”!
Never say “It’s secure.” Say “The risk is low” or “The risk is acceptable.”
Give people and processes appropriate attention.
Best practices are a unicorn! There’s only what works and what doesn’t.

89. Guiding Principles
89
Understand your environment
Implement practical, palatable solutions
Align with business needs
Communicate current state, future state, and gaps
Maximize utilization of available resources
Build relationships and establish credibility
Measure what matters
Challenge the status quo
Look outside of the echo chamber
Take advantage of opportunities
[PLACEHOLDER]

90. Bad Advice
Unintended Consequences
and
Broken Paradigms:
Think and
Steve Werby
RVAs3c 2014
ActDifferent
90
Questions? Discussion?
Find me later here or at @stevewerby.