Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # "Good Enough" Security: The Best We'll ever have?
- ## By Dieter Vandenbroeck, Security manager - Gwendolyn Van Aken, Security Manager from EY Belgium
- ## Objective: Challenge and get ready for reality, it's about the "mindset"
- ## Interactive
- ### What is the most secure organization?
- * The one that doesn't exist
- * The one that just started to exist
- * Google
- * Because of megascale and frequent attacks, they adapt fast and invest a lot in security
- * They must maintain the position of a trustworthy security giant
- * Army/Military
- * Have to defend against foreign cyberthreats
- * (Depends on the country ofc)
- * Good answers are difficult
- * Would expect
- * Fort knox (because of high physical sec because of trillion USD stored there, great security protocols, etc...)
- * Black Dolphin (?) supermax prison in russia, multiple layers of "prison cells", designed around the fact that no one ever gets out alive
- * What happened with equifax?
- * If you want to ever touch the credit system, you need a credit score
- * Equifax is one of the 3 companies doing that
- * Terrible security practices and a breach means that attackers had total access to every victim's data
- * Apache struts vulnerability that was patched as soon as it was revealed, very widely spoken about
- * They haven't sunk yet
- * Investigated by the congress and the senators, both independent
- * Security is important **for the end users, not always the company**
- ### Would you swim in australia?
- * At a certain beach, there could be sharks
- * They have shark detection systems that warn about unsafe areas of the beach
- * However it doesn't mean it's flawless, beach has already been evacuated because of humans spotting dangerous sharks
- * If you want absolute security, don't think about approaching the beach, otherwise, you'll probably take a dip
- ### Patch Management
- * 100% security **does not exist**
- * There will always be risks
- * The process of tracking issues, discovering fixes and applying them.
- * Speed is important, **but don't ignore the impact of the patch.**
- * Example: intel CPU vulnerability patches make them significantly slower
- * Annual spending increased 24% in 2019 compared to 2018
- * 17% increase in cyberattack, 60% of **DETECTED** breaches could have been fixed by patches
- * Average time to patch is **16 days**
- * Of course, it always depends on the severity of the issue
- * Patches take time to apply, so downtime is dangerous
- * Patches can mutate, replace, or remove functionality, so systems depending on those can break
- * It's hard to convince people to fix non-emergency vulnerabilities
- * You *have* to be able to explain the potential impact of the vulnerability
- * Security ***Does Not Bring Money In***, it just prevents the company from losing money
- * Humans are bad at loss aversion from things they don't understand
- * If you don't know a patch exists, you can't apply it
- * Research about the vulnerabilities, stay up to date about every component in your infrastructure
- * The more complex it is, the harder it is to stay up to date
- * You are on a shoestring budget, so anything that requires money will be very hard to get the stamp of approval by management
- ### Legacy infrastructure
- * If you still use XP, prepare for the worst
- * An estimated 2.5% of machines still use XP
- * Of machines connected to the internet
- * Many isolated machines use XP, most ATMs for example are only now stopping to use XP
- * Outdated windows servers are also used (95% of banks have at least one outdated server)
- * Isolated does not mean invulnerable, physical attacks are still feasible.
- * The bank knows that however
- ### Same company doesn't mean same branch
- * Security policies can differ from building, from city, form branch, from country
- * In the Czech country (I forgot the name sorry) they use username/passwords because fraud is relatively low and their budget is not high enough
- ### Zero Trust
- * Often, in companies, if you're in the internal network, you're "trusted" and usually have access to everything.
- * Google used to work that way, but after a breach from the UK secret service, they started to work on "zero trust architecture", where it's very hard to passively gain trust without proof of trust.
- * They use a combination of username/password and hardware tokens that last only for a session
- ### K8s (Kubernetes)
- * Kubernetes is a container manager that can create containers in a pool of servers dynamically (and route traffic between them and the internet)
- * One compromised host doesn't mean all hosts are compromised
- * Since the applications are copies of a template, it takes minutes to replace a program on a pool of a thousand machines, compared to days of manually updating manually scaled machines
- * k8s are a big gamble, you have to build on top of them from the beginning, it's hard to integrate into existing architecture
- ### DevOps
- * Cloud growth is exponential
- * Devops hiring is exponential
- * Security is a detail/oversight
- * It's also expensive, takes time, breaks established patterns like agile, and harms functionality
- * **Security is not considered because people don't understand the outcome of being attacked**
- ### Conclusion and discussion
- * Password cracking being so efficient, perfect passwords sound impossible. They don't actually have to be perfect, just good enough to be a deterrent, combined with proper habits and your data will stay safe/secure.
- * Passwords are a convenience/complexity tradeoff
- * Even then, the dreaded post-it exists
- * 2FA is also hard to pick up, even though it's only 6 characters
- * Sometimes, passwords are ditched in favor of fingerprint or face recognition
- * Saying that something is insecure doesn't help if no solutions are offered.
- * "If the competition doesn't do it, why bother?"
- ### Tradeoff triangle
- * Quality **And** Low Cost = slow
- * Quality **And** Fast = Expensive
- * Fast **and** Low Cost = low quality <- this is the preferred way by average developers
- ### GDPR
- * Taking into account the state of the art, the cost, the nature, score, context... you **must** implement security measures to protect your users
- * Privacy and security are important, act upon them
- ### Takeaways 2
- * Humans are the weakest link, *again*.
- * 25% of data breaches are human errors
- * IT Security programs must be put in place like physical security keys and employee education
- ### Takeaways 3
- * Rules existing don't mean that they are enforced.
- * There must be incentives to respect the rules, if they are not enforced, they are not effective.
- ### Takeaways 4
- * It's all about balancing security, means, and convenience
- * What's a consultant?
- * Someone that's experienced at doing that.
- * How do you *measure* security?
- * Budget-wise?
- * Breach-wise?
- * Objective-wise?
- * somethingelse-wise?
- * **Perfect security does not exist**
- * Pick your battles
- * Know what to focus on
- * Good advice can be ignored, it doesn't mean it shouldn't be given
- * You can have godlike computer security, walking in and stealing papers can do as much damage, physical security is also important
- * Layer your defenses
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement