Infosec has seen a lot of change...from the 90s, 2000s, and 2010s...so much has happened. Yet, some things remain the same (and why all of us have jobs). Now that we've crossed into 2020...what are our lessons learned and how can we apply them?
Let's take a look forward to Security 2030: the next decade.
1. 2030: THE NEXT DECADE
CHRIS SISTRUNK
BSIDESHUNTSVILLE 2020
2. ABOUT ME
Chris Sistrunk, PE
@chrissistrunk, #DJaaS, #NAPCON
Technical Manager, FireEye
• Mandiant ICS / OT Security
Electrical Engineer, Entergy
• Transmission & Distribution
• SCADA / Substation Automation
• 30+ DNP3 implementation vulnerabilities
• Substation Security Team
BSidesJackson Founder
BEER-ISAC Co-Founder
3. BSIDESHUNTSVILLE 2020
Infosec has seen a lot of change...from the 90s, 2000s, and
2010s...so much has happened. Yet, some things remain the
same (and why all of us have jobs). Now that we've crossed into
2020...what are our lessons learned and how can we apply
them?
Let's take a look forward to Security in 2030: the next decade.
11. ”
“The thing that hath been, it is that which shall be;
and that which is done is that which shall be done:
and there is no new thing under the sun.
Ecclesiastes 1:9
17. COMPUTER SECURITY AXIOMS
1. "If a system or network is vulnerable to legacy malware, then it is certainly
vulnerable to targeted attacks." Christopher Sistrunk 2016 (Sistrunk's Axiom)
2. If an attacker can use an existing feature of a targeted system, then they
aren't required to use a zero-day. Ralph Langner 2011
3. "Give a man an 0day and he'll have access for a day, teach a man to phish and
he'll have access for life." @thegrugq 2015
4. Compliance does not equal security. (unknown)
https://github.com/chrissistrunk/SecurityAxioms
18. COMPUTER SECURITY AXIOMS
5. "A backdoor for one is a backdoor for everyone." @munin 2017
• "But the reality is if you put a back door in, that back door's for everybody, for good guys and bad
guys." Tim Cook 2015
6. Security is a journey, not a destination (unknown)
• Earliest reference to full quote above is by Joel G. Ogren in 1999
• "Security is a process, not an end state." Mitch Kabay 1998
• "Security is a process, not a product." Bruce Schneier 1999
7. If something (has code/is online/has a computer chip), it can be hacked (multiple
variations)(unknown)
• "As society becomes more and more computerized, it becomes eminently more hackable." Deth
Vegetable, Cybermania 1994
• "Everything is hackable" A.J. Reznor 1997
• "Whenever an appliance is described as being 'smart', it's vulnerable." Mikko Hypponen 2016
https://github.com/chrissistrunk/SecurityAxioms
19. COMPUTER SECURITY AXIOMS
8. "Security's worst enemy is complexity" Bruce Schneier 1999
9. "Ability to type on a computer terminal is no guarantee of sanity, intelligence,
or common sense." Eugene Spafford 1987 (Axiom #2 from his Axioms of
Usenet)
10. Any security technology whose effectiveness can't be empirically
determined is indistinguishable from blind luck. (Geer's Law) Dan Geer 2003
• "Geer’s law is a paraphrase of the analysis first presented in 'Information Security: Why
the Future Belongs to the Quants.'” - Ian Grigg & Peter Gutmann 2011
https://github.com/chrissistrunk/SecurityAxioms
20. WHEN DID YOU START IN INFOSEC?
• 1980s or before
• 1990s
• 2000s
• 2010s
23. FOR ME?
I grew up with computers
• First computer – 8088 IBM PC
Clone
Prodigy / AOL
• HACKED!
BBSes, but no hacking community
• First upload was Wolfenstein 3D
• IT WAS A WHOLE MEGABYTE!!!!
• Anarchist Cookbook
24. FAST FORWARD
College
• LaTech – Electrical Engineering (Power)
• We had a Unix lab
• …but most everyone used pirated WinXP
Real Job
• Engineering stuff
• SCADA?? OpenVMS??
• RTUs?? Motorola 68k??
• RS-232??? 1200 Baud
36. WHERE ARE WE GOING?
WHAT WILL IT TAKE TO GET THERE?
• Will the past keep repeating itself?
• Humans will be humans
• The technology explosion will continue,
can security keep up?
• Was the loss of $$$$$$$$$$ enough?
• Will it take loss of life due to cyber-physical attack to truly
move the needle?
38. "SECURITY'S WORST ENEMY IS
COMPLEXITY“ SCHNEIER
1. Use LESS CODE and make SIMPLER
designs? K.I.S.S.
2. YOU CAN’T HACK PHYSICS
• Should we put strategic analog devices in
place?
https://www.csis.org/analysis/case-
simplicity-energy-infrastructure
• Should we have paper backups?
Tim Roxey
But Chris, Clearly the most important event was the birth of Alan Turing!
1839 – Charles Babbage Chart Recorder
1880 – The three-phase AC power grid was conceived
1888 – William Bristol Chart Recorder
1914 – The first Transmission Grid was built
1920 – The first SCADA systems (telephone type)
1965 – First Digital SCADA systems
1965 – The first Northeast Blackout
1968 – NERC is created
1980 – The first Digital Relay (SEL)
1980ish – The first Digital Fault Recorder
1988 – Phasor Measurement Unit was invented
1990 – Ethernet networks used in SCADA
2003 – The 2nd Northeast Blackout
2007 – NERC PRC Disturbance Monitoring Equipment Standards PRC 002 and 018
2016 – NERC PRC 002-2 Standard Enforced
NSM
*1988 – Stalking The Wily Hacker
*1990 – A Network Security Monitor – Todd Heberlein
*1990s – US Air Force – Defense Information Systems Agency
*1994 – Bro IDS invented – Vern Paxson
*1998 – Snort invented - Martin Roesch
*2002 – NSM Formally Defined by Richard Bejtlich
But hindsight is 20/20
Safety Rules are Written In Blood
Reliability Rules are Written In Darkness
Security Rules are re-written in blood????