Upload
code-blue
View
97
Download
0
Embed Size (px)
Citation preview
Whatyouwilltakeawayfromthiskeynote
2
1. Hearfromasecurityresearcherandpractitioneraboutwhichprotectionsworkandwhichareunnecessary
2. Abetterunderstandingofthesecurity-innovationtrade-off
3. Someideasfordeployingeffective(butneverperfect!)securitymeasures
Howsecurityprosviewthemselves
3
vs.
4
Productsecurity Informationsecurity
Removehackingrisksforyourcustomers
Protectyourownsystemsfromhacking
WeaskthequestionHowmuchsecurityistoomuch?intwoareas
A B
Agenda
5
1 Securityresearchers*takeextremepositions
2 Manycompaniesonlyreacttoextremepositions
3 Thesecuritycommunityisfightingvulnerabilities,notrisks
Informationsecurity
Productsecurity
*Asreportedinthemedia
A
B
TerribleyearforiOSsecurity,right?
6
Pegasusmalware
FBI-stylehardwarehacking
YouriPhonegettinghackedisratherunlikely
7
Pegasusmalware
FBI-stylehardwarehacking
- 1billioniOSdevicespossiblyvulnerable
+ Onlyone(!)attemptedinfection
+ Applepatchedthevulnerabilitywithin10days
- Hackisnowpubliclyavailableatlowcost
+ Onlypossiblewithhardwareaccess
+ Onlyworksagainsttheoldest22%ofiPhones(5candolder,March2016)
Sourceforgraph:http://info.localytics.com/blog/how-will-apples-newest-iphone-impact-mobile-engagement
iPhonemarketbreak-down[Apr2016]
65S6S6Plus6SPlus55C4S4
Agenda
8
1 Securityresearcherstakeextremepositions
2 Manycompaniesonlyreacttoextremepositions
3 Thesecuritycommunityisfightingvulnerabilities,notrisks
ProductsecurityA
9
Android 654.44.3(andolder)
Hackeddevices vs.marketbreak-down(%)
0 50 100
Marketbreak-down
Hackedphones
~2%hacked
Nothacked
FewAndroidphonesgethacked;thosethatdoareoutdated
Source:developer.android.com/about/dashboards/index.html ,https://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf,
Shouldmobilereallybeachiefsecurityconcern?
10
<0.1%~2%
(<0.2%forcurrentdevices) 20-40%
iOSinfectionrate Androidinfectionrate Windowsinfectionrate
http://www.pandasecurity.com/mediacenter/src/uploads/2016/05/Pandalabs-2016-T1-EN-LR.pdf
CompaniesInfoSecprioritiesarenotalignedwithactualincidents
11
vs.
1. BuyiOS securitysoftware
2. BanorlockdownAndroiddevices
…
10. DosomethinguncreativeaboutWindows security,likeupgradingantivirussoftware
1. Windows
2. Windows
3. Socialengineering
4. Windows
…
100.Android
ILLUSTRATIVE
TypicalcorporateInfoSecpriorities Actualendpointhackingincidents
Agenda
12
1 Securityresearcherstakeextremepositions
2 Manycompaniesonlyreacttoextremepositions
3 Thesecuritycommunityisfightingvulnerabilities,notrisks
ProductsecurityA
Yourtimeisbestspentprotectingfrommostlikelythreats
13
Low Medium High
Vulnerability/Hackingease Hackerincentive Damage Risk
Don’tbotherprotectingyourInternet-connectedcomputersfromBadUSBbeforeyousolvedthemalwarechallenge
InfectcomputersfromUSBfirmwares
Localattackpropagation
(Variesbysystem)
InfectWindowsthroughe-mailattachmentsormaliciouswebsites
Remoteinfection (Variesbysystem)
BadUSB
Targetedmalware
ILLUSTRATIVE
Nextbighackingfrontier:Cars?
14
Securitycautioncandelaysafety,andultimatelykillpeople
15
0
1
2
3
4
5
1970 1980 1990 2000 2010 2020
Carfatalitiesper100millionmiles[US]
Autonomouscars?Airbags
Adaptivecruisecontrol
ABS
ESC
§ Ifwetestallnewcarcomponentsforhackingrisks,wedelaytheirintroduction
§ Adelayof3monthsduetosecuritydesignandtestingmeansmorepeoplegetkilledontheroad
§ 200.000 morepeoplediewithinthenext10years
SOURCE:https://en.m.wikipedia.org/wiki/List_of_motor_vehicle_deaths_in_U.S._by_year
Agenda
16
1 Everybodybreakssecurityrules(butwedon’tusuallytalkaboutit)
2 Unpopularsecuritycontrolsarenoteffective,andworse:theyinhibitinnovation
3 Forsecurityor innovationtowork,weneeduser-friendlysolutions
4 Threatmonitoringisuser-friendly.Itincreasesmotivation,productivity,innovationand security
Productsecurity
InformationsecurityB
A
Restrictiveprotectionsareeasilyandoftencircumvented
17
Standardcircumvention
Skypetunnelsitstrafficthroughwebproxiesandregularlychangesitsserveraddresses
Standard“protection”practice
Blockeverythingelseatfirewall
Corporateuser
Internet
✗
Funnelwebbrowsingthroughproxyserver
Largehacksareoftentheresultofprotectionscircumventedbypeoplewho“needtodotheirjob”
18
Hackingcase
Target lostcreditcarddatafor300millioncustomers
Rootcause
ATargetsupplierinstalledaremoteaccesstooltotunnelintotargetnetworkformaintenance
Target’s CEO Steps Down Following The Massive Data Breach
Agenda
19
1 Everybodybreakssecurityrules
2 Unpopularsecuritycontrolsarenoteffective,andworse:theyinhibitinnovation
3 Forsecurityor innovationtowork,weneeduser-friendlysolutions
4 Threatmonitoringisuser-friendly.Itincreasesmotivation,productivity,innovationand security
InformationsecurityB
20
Casestudy– typicalEnterprise/SOA busevadesclassicnetworksecuritytechniques
21
Low-levelprotectionsthatdonotpreventapplevelhacksarenotshown:firewalls,IPS,proxies,andSSLgateways
Servicebus
Authenticationserver
Criticaldatabases
Userrequestsareoftenpassedonallthewaytocriticalservicesonthebus
Externalandinternalusers
Webapplicationfirewall
(unmanaged)
Applicationservers
App
App
Circumventingrestrictivecontrolsoftenisnetpositive
22
Area Incidentexample Cost
Destructivedamage
§ Scadahackdamagesfactory 10m 2%
Lostrevenue § Majorgovernmentcontractdoesnotclose
50m 1%
Imageimpact
§ Majormarketingcampaignneededtooffsethackingimpact
§ Smallercampaignneededtooffsetsmallerhackingimpact
15m
1.5m
1%
10%
Competitivedamage
§ TheftofmajorIP(patentapplication,designdocument)
§ Negotiationdetailsstolen(M&A,long-termcontracts)
5m
2m
10%
10%
Effectivetotalcostperyear <2m
Likelihoodperyear
Trade-offfunction. Investuntildamageelasticity=incrementalprotectioneffort
Securitycansavemillions vs.
§ “Billiondollarideas”mostlygrowfromcreativepeoplefreelyplayingwithinnovativetechnology,whichistheoppositeofwhatsecurityoftenaimsfor
§ MicrosoftpaidUSD9billiontobuySkype,atechnologytheMicrosoftpolicieswouldnotallow
§ German“Datenschutz”vs.SiliconValleyprofits
Trade-offfunction.Protectuntilandaslongasinnovationcanflourish
Restrictivesecuritycandestroybillions invalue
Toolittleandtoomuchprotectionhindersinnovation
23
Damage Protectioneffort Innovationpotential
Incidentsspreadfear
Restrictions killinnovationenergy
Agenda
24
1 Everybodybreakssecurityrules
2 Unpopularsecuritycontrolsarenoteffective,andworse:theyinhibitinnovation
3 Forsecurityor innovationtowork,weneeduser-friendlysolutions
4 Threatmonitoringisuser-friendly.Itincreasesmotivation,productivity,innovationand security
InformationsecurityB
Less-restrictiveprotectionalternativesoftenexist
25
§ Manycomplexpasswords
§ Webproxyblocklists
§ Noadminrightsforusers
§ Corporatephones(Blackberrys)
§ Endlesspentesting
§ Securitypolicy
§ DLP
Restrictiveprotections
§ Single-sign-onusingsmartphones
§ SSLterminationandmonitoring
§ Processmonitoring
§ BYODwithActiveSyncandVPN
§ Bugbounties
§ Awarenesscampaigns
§ Awareness;orsimplymoretrust
Innovation-friendlyalternatives
Wherenorestrictivealternativeexists,closeriskmonitoringmayallowyoutokeeprestrictiveprotectionswitchedoffuntilariskbecomesreal
Agenda
26
1 Everybodybreakssecurityrules
2 Unpopularsecuritycontrolsarenoteffective,andworse:theyinhibitinnovation
3 Forsecurityorinnovationtowork,weneeduser-friendlysolutions
4 Threatmonitoringisuser-friendly.Itincreasesmotivation,productivity,innovationand security
InformationsecurityB
ForestorTrees?(SecurityMonitoringishard!)
27
SOCramp-updeliversfastresultsonlyintop-downmanner
Bottom-up – Start with data Top-down – Start with threats
18 months Days per use case
Forensically investigate incidents
Start with most relevant threats
Create tailored use cases
Collect only data needed for current use case
§ Add advanced use cases§ Generate alarms
§ Become familiar with data§ Integrate more sources
§ Collect available data sources§ Create simple use cases
28
vs
Takeaways
29
Questions?Karsten Nohl <[email protected]>
2
3
4
Thelargestrisk-costtrade-offisbetweenrestrictionsandinnovation potential
Often,innovation-friendlyalternativesexistthatcanreplacerestrictivechoices
Risks needtobemonitored andmanaged:“Protectionfromeverything”killsinnovation,therebykillstheverythingsyouwanttoprotect
1 Wechaseaftervulnerabilitiesinsteadofrisks byforgettingabouthackers’incentives