1. Bad Advice Unintended Consequences and Broken Paradigms: Think and Steve Werby RVAs3c 2014 ActDifferent 1

2. Insanity Insanity [noun] in-sa-n-t: Doing the same thing over and over again and getting and expecting different results1 s/Insanity/Information Security 21 Despite popular belief, there is no evidence that this was written or spoken by Albert Einstein 3. Were Doing it Wrong Security == 0 || Security == 1 Focus on vulnerabilities Think in terms of worst-case scenarios Serve as an obstacle Don't demonstrate value Point fingers 3 4. What Do You Mean By We? He's talking about me! 65% I can relate to some of this. 20% Not me [I'm delusional]. 13% My house is in order! 2% 4 5. But Blame is Shared How can we align with orgs objectives? What do you think we should do? Whats our risk for scenario I read about? Should we address this? How can we prevent this in the future? How did you let this happen!? 5 6. Who am I? I am not a rock star 6 7. Who am I? I am not a rock star I am not a guru 7 8. Who am I? I am not a rock star I am not a guru I am not a thought leader1 8 1 I am not belittlingly Chris Eng (pictured). I am a fan of the video he created, How to Become an Information Security Thought Leader. https://www.youtube.com/watch?v=Pc64xWxRsag 9. Rules and Guidelines 9 Please hold questions until the end. Ill also be available after the talk. Its OK to laugh. Information security is tough if you keep everything bottled up. Constructive and unconstructive feedback welcome at @stevewerby. And dont forget hashtag #rvasec. 10. Disclaimer, Disavowal, and Renunciation These are not necessarily the views of My employer You Anyone else or anything else in the universe If your feelings are easily hurt by being told you've been doing it wrong, consider leaving But you'll miss some ways of doing it better This disclaimer/disavowal/renunciation is retroactive to the Unix Epoch And is subject to change without notice 10 11. Bad Advice 11 12. Bad Advice 12 13. Bad Advice Passwords Use unique passwords, memorize them, and change them regularly Bad Unique isn't actually what we want We don't really care if they memorize them Change them every 42 days - Reason no longer applicable (offline brute force defense) - Research doesn't even support that it's effective 13 14. Rules and Guidelines 14 Make it difficult and they will find a workaround! Challenge the status quo! 15. Unintended Consequences 15 16. Unintended Consequences Passwords Get entered into wrong system Ignore requirements and don't make them unique Write them down insecurely Unique, but other password give clues about this password Change regularly leads to (n+1)th similar to nth 16 17. Rules and Guidelines 17 Implement practical, palatable solutions! Focus on outcomes! 18. Bad Advice Long, Technical Policy Too looooooooooooooooooooooooooooooog Legal is happy, you may be happy Serves as a CYA and a violation lever Many never even consider reading itbut if they do Not easy to comprehend Impossible for users to retain Doesnt consider impact on those affected 18 19. Rules and Guidelines 19 Challenge the status quo! Build relationships and establish credibility! 20. Broken Paradigms 20 21. Broken Paradigm Passwords, FW, OS Patching, AV 21 Passwords Firewalls OS Patching Antivirus 22. 22 ? ? ? ? Broken Paradigm Passwords, FW, OS Patching, AV 23. Broken Paradigm CIA Model Should be AIC Masquerades as a holistic security model, but is a limited model that focuses entirely on information Parkerian Hexad better Adds possession, authenticity, availability 23 24. Werbian Quintet Level 1 Utility Availability Level 2 Integrity Level 3 Confidentiality/Possession Authenticity 24 25. Rules and Guidelines 25 Align with business needs! 26. Broken Paradigm Vulnerability-Centric Unlocked, 20-year old, empty beaten up car in middle of full parking lot Unlocked house with $10MM in diamonds in the middle of the desert and only 1 person knows its there 26 27. Rules and Guidelines 27 A vulnerability without an impact is not a risk! A vulnerability without a threat is not a risk! 28. What Information Security Is (Allegedly) Information security is the practice of defending information against unauthorized access, use, disclosure, modification, or destruction 28 29. What Information Security Is (Really) Information security is the defense of information and IT systems in alignment with stakeholders' direction for addressing risk and opportunities 29 30. What Information Security Is (Really) Information security is the defense of information and IT systems in alignment with stakeholders' direction for addressing risk and opportunities Breaking it Down What information do we have? What IT systems use it? Who are stakeholders? What are our risks? What are our opportunities? 30 31. Focus From Chaos to Disorder Phase 1 Org mission and vision Org goals and success factors Phase 2 Essential business processes Secondary business processes Phase 3 Information IT systems Phase 4 Risks Opportunities 31 32. Rules and Guidelines 32 Start simple and enhance later! Align with business needs! 33. What Risk Is R = Threat * Vulnerability * Impact R = Likelihood * Impact Can be range of impact/likelihood scenarios Likelihood of threat exploit vulnerability resulting in impact 33 34. 34 35. Risk Appetite[1 of 2] 35 Expressing risk appetite Boundary on impact/likelihood grid Descriptive - 99.9% manufacturing system uptime - No social media account abuse - No audit findings Maximum annual $ loss (bottom quartile for industry) Can vary Across business units (R&D vs. marketing) By scenario (PII vs. IP, individual records vs. bulk loss) 36. Risk Appetite[2 of 2] Level 1 Infosec Level 2 IT leadership and IT support aligned with LOB Others who may have insights, even if lack authoritative knowledge Level 3 LOB management LOB leadership Level 4 Risk steering committee Enterprise leadership team or board 36 37. Rules and Guidelines 37 Take advantage of opportunities! 38. Tool for infosec Adequate for explaining to stakeholders, though they care about impact and likelihood, not threats and vulnerabilities Inefficient and illogical way of identifying risk though Threat Model to Assess Risk[1 of 3] 38 Chart is a modified version of a chart in the OWASP Top 10 2013 (http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf) 39. If likelihood of impact < acceptable, stop If likelihood of all threat actors < acceptable, stop Threat Model to Assess Risk[2 of 3] 39 40. Iteration 1 Impact, threat actor, vulnerability and controls, attack vector Iteration 2 Threat actor likelihood, likelihood of targeting vulnerability (prevalence, discovery), attack vector likelihood (skills, resources) Iteration 3 Determine risk Threat Model to Assess Risk[3 of 3] 40 41. Assessing Risk 41 Compare risk with risk appetite Make decisions based on comparison And cost/benefit analysis, constraints, and priorities Stakeholders Involve in process to the degree you can (worst case, inform) If risk < acceptable then accept residual risk Otherwise reduce, transfer (insure or contract/outsource), avoid (eliminate situation or activity), ignore (head in sand) Use output to define current state, future state, and gaps 42. Rules and Guidelines 42 Start simple and enhance later! Align with business needs! Communicate current state, future state, and gaps! 43. Broken Paradigm Blinky Lights We neglect our existing blinky light technologies Functionality not enabled (functionality we arent even aware of) We neglect the data that is all around us Lots of chatty devices Many non-traditional sources - Internal and external - Electronic and non-electronic (including human) 43 44. Rules and Guidelines 44 Give people and processes appropriate attention! Maximize utilization of available resources! 45. Comparison of Controls 45 We fail at this because we dont align with business needs or the way the business considers alternatives 46. Comparison of Risk Reduction Alternatives Level 1 Confidence in alternative (yours and theirs) Impact risks and opportunities Level 2 User friction Management friction Level 3 Implementation and management burden, complexity, and timeframe Cost and cost avoidance 46 47. 47 Passwords Firewalls OS Patching Antivirus Broken Paradigm Passwords, FW, OS Patching, AV 48. 48 One Time Passwords Anomaly Detection Remove Java Malware Sandboxing Broken Paradigm Passwords, FW, OS Patching, AV 49. Comparing Controls Control Confidence Risk Reduct User Friction Imp Burden Mgmt Burden Cost Passwords 2 3 4 1 4 5 Firewalls 1 2 1 3 4 5 OS Patching 3 1 3 3 3 2 Antivirus 2 1 4 4 2 2 49 Control Confidence Risk Reduct User Friction Imp Burden Mgmt Burden Cost OTP 4 4 4 2 2 2 Anomaly Detection 2 3 3 5 5 5 Mitigate Java 5 5 1 2 1 1 Malware Sandbox 3 3 2 2 3 3 50. [Think|Act] The Approach Focus on business needs, desired outcomes, capabilities Ask yourself and others lots of questions Challenge assumptions and recognize that needs, risks, and capabilities evolve 50 51. [Think|Act] Different Suggestions 51 52. Ask Yourself Questions Direction How much risk are data owners and function owners willing to accept? Am I meeting stakeholders expectations? Capabilities and outcomes How quickly are we containing incidents compared to a year ago? If the source and destination of an attack are within our data center, do we have visibility? Is our manual effort to provide malware samples to our AV provider resulting in subsequent blocking in our environment? Risk What percentage of critical vulnerabilities in our environment are exploited in the wild before we remediate them? What if someone stole a laptop from an employee while he was using it? 52 53. [Think|Act] Different Start *Somewhere* Where Easiest? Highest value? With person who raises hand? Opportunity arises? May not be your call Be prepared Incident in your environment Incident elsewhere Inquiry from stakeholder Crawl, walk, run gain experience and learn lessons 53 54. [Think|Act] Different Go Against the Grain Get a Mac campaigns from 2006 to 2009 Higher the penetration of a technology or tool, the more likely it will be targeted If you use tools with high penetration - How quickly can your use of it be discovered? - Do you have compensating controls? - How quickly can you remediate vulnerabilities? Consider technologies, tools, and configurations that reduce exploitation likelihood 54 55. [Think|Act] Different Leave Echo Chamber Smart people in infosec, but