Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda.
Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better?
Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security?
This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely.
---
Karsten Nohl
Karsten Nohl has spoken widely on security gaps since 2006. He and co-investigators have uncovered flaws in mobile communication, payment, and other widely-used infrastructures. In his work at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specializing in emerging IT threats, Karsten challenges security assumptions in proprietary systems and is fascinated by the security-innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.
9. 9
Android 654.44.3 (and older)
Hacked devices vs. market break-down (%)
0 50 100
Market
break-
down
Hacked
phones
~2%
hacked
Not
hacked
Few Android phones get hacked; those that do are outdated
Source: developer.android.com/about/dashboards/index.html ,
https://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf,
15. Security caution can delay safety, and ultimately kill people
15
0
1
2
3
4
5
1970 1980 1990 2000 2010 2020
Car fatalities per 100 million miles [US]
Autonomous cars?Airbags
Adaptive cruise control
ABS
ESC
§ If we test all new car components for hacking
risks, we delay their introduction
§ A delay of 3 months due to security design and
testing means more people get killed on the road
§ 200.000 more people die within the next 10 years
SOURCE: https://en.m.wikipedia.org/wiki/List_of_motor_vehicle_deaths_in_U.S._by_year
22. Circumventing restrictive controls often is net positive
22
Area Incident example Cost
Destructive
damage
§ Scada hack damages factory 10m 2%
Lost revenue
§ Major government contract does not
close
50m 1%
Image
impact
§ Major marketing campaign needed to
offset hacking impact
§ Smaller campaign needed to offset
smaller hacking impact
15m
1.5m
1%
10%
Competitive
damage
§ Theft of major IP (patent application,
design document)
§ Negotiation details stolen (M&A, long-
term contracts)
5m
2m
10%
10%
Effective total cost per year <2m
Likelihood
per year
Trade-off function. Invest until damage elasticity =
incremental protection effort
Security can save millions vs.
§ “Billion dollar ideas”
mostly grow from
creative people freely
playing with innovative
technology, which is the
opposite of what
security often aims for
§ Microsoft paid
USD 9 billion to buy
Skype, a technology the
Microsoft policies
would not allow
§ German “Datenschutz”
vs. Silicon Valley profits
Trade-off function.
Protect until and as long
as innovation can flourish
Restrictive security can
destroy billions in value
25. Less-restrictive protection alternatives often exist
25
§ Many complex passwords
§ Web proxy blocklists
§ No admin rights for users
§ Corporate phones (Blackberrys)
§ Endless pentesting
§ Security policy
§ DLP
Restrictive protections
§ Single-sign-on using smartphones
§ SSL termination and monitoring
§ Process monitoring
§ BYOD with ActiveSync and VPN
§ Bug bounties
§ Awareness campaigns
§ Awareness; or simply more trust
Innovation-friendly alternatives
Where no restrictive alternative exists, close risk
monitoring may allow you to keep restrictive
protection switched off until a risk becomes real
28. SOC ramp-up delivers fast results only in top-down manner
Bottom-up – Start with data Top-down – Start with threats
18 months Days per use case
Forensically investigate
incidents
Start with most relevant
threats
Create tailored use cases
Collect only data needed
for current use case
§ Add advanced use cases
§ Generate alarms
§ Become familiar with data
§ Integrate more sources
§ Collect available data sources
§ Create simple use cases
28
vs