# "Good Enough" Security: The Best We'll ever have?## By Dieter Vandenbroeck,

1. # "Good Enough" Security: The Best We'll ever have?
2. ## By Dieter Vandenbroeck, Security manager - Gwendolyn Van Aken, Security Manager from EY Belgium
3. ## Objective: Challenge and get ready for reality, it's about the "mindset"
4. ## Interactive
5.  
6. ### What is the most secure organization?
7. * The one that doesn't exist
8. * The one that just started to exist
9. * Google
10. * Because of megascale and frequent attacks, they adapt fast and invest a lot in security
11. * They must maintain the position of a trustworthy security giant
12. * Army/Military
13. * Have to defend against foreign cyberthreats
14. * (Depends on the country ofc)
15. * Good answers are difficult
16. * Would expect
17. * Fort knox (because of high physical sec because of trillion USD stored there, great security protocols, etc...)
18. * Black Dolphin (?) supermax prison in russia, multiple layers of "prison cells", designed around the fact that no one ever gets out alive
19.  
20. * What happened with equifax?
21. * If you want to ever touch the credit system, you need a credit score
22. * Equifax is one of the 3 companies doing that
23. * Terrible security practices and a breach means that attackers had total access to every victim's data
24. * Apache struts vulnerability that was patched as soon as it was revealed, very widely spoken about
25. * They haven't sunk yet
26. * Investigated by the congress and the senators, both independent
27.  
28. * Security is important **for the end users, not always the company**
29.  
30. ### Would you swim in australia?
31. * At a certain beach, there could be sharks
32. * They have shark detection systems that warn about unsafe areas of the beach
33. * However it doesn't mean it's flawless, beach has already been evacuated because of humans spotting dangerous sharks
34. * If you want absolute security, don't think about approaching the beach, otherwise, you'll probably take a dip
35.  
36. ### Patch Management
37. * 100% security **does not exist**
38. * There will always be risks
39. * The process of tracking issues, discovering fixes and applying them.
40. * Speed is important, **but don't ignore the impact of the patch.**
41. * Example: intel CPU vulnerability patches make them significantly slower
42. * Annual spending increased 24% in 2019 compared to 2018
43. * 17% increase in cyberattack, 60% of **DETECTED** breaches could have been fixed by patches
44. * Average time to patch is **16 days**
45. * Of course, it always depends on the severity of the issue
46.  
47. * Patches take time to apply, so downtime is dangerous
48. * Patches can mutate, replace, or remove functionality, so systems depending on those can break
49. * It's hard to convince people to fix non-emergency vulnerabilities
50. * You *have* to be able to explain the potential impact of the vulnerability
51. * Security ***Does Not Bring Money In***, it just prevents the company from losing money
52. * Humans are bad at loss aversion from things they don't understand
53. * If you don't know a patch exists, you can't apply it
54. * Research about the vulnerabilities, stay up to date about every component in your infrastructure
55. * The more complex it is, the harder it is to stay up to date
56. * You are on a shoestring budget, so anything that requires money will be very hard to get the stamp of approval by management
57.  
58. ### Legacy infrastructure
59. * If you still use XP, prepare for the worst
60. * An estimated 2.5% of machines still use XP
61. * Of machines connected to the internet
62. * Many isolated machines use XP, most ATMs for example are only now stopping to use XP
63. * Outdated windows servers are also used (95% of banks have at least one outdated server)
64. * Isolated does not mean invulnerable, physical attacks are still feasible.
65. * The bank knows that however
66.  
67. ### Same company doesn't mean same branch
68. * Security policies can differ from building, from city, form branch, from country
69. * In the Czech country (I forgot the name sorry) they use username/passwords because fraud is relatively low and their budget is not high enough
70.  
71. ### Zero Trust
72. * Often, in companies, if you're in the internal network, you're "trusted" and usually have access to everything.
73. * Google used to work that way, but after a breach from the UK secret service, they started to work on "zero trust architecture", where it's very hard to passively gain trust without proof of trust.
74. * They use a combination of username/password and hardware tokens that last only for a session
75.  
76. ### K8s (Kubernetes)
77. * Kubernetes is a container manager that can create containers in a pool of servers dynamically (and route traffic between them and the internet)
78. * One compromised host doesn't mean all hosts are compromised
79. * Since the applications are copies of a template, it takes minutes to replace a program on a pool of a thousand machines, compared to days of manually updating manually scaled machines
80. * k8s are a big gamble, you have to build on top of them from the beginning, it's hard to integrate into existing architecture
81.  
82. ### DevOps
83. * Cloud growth is exponential
84. * Devops hiring is exponential
85. * Security is a detail/oversight
86. * It's also expensive, takes time, breaks established patterns like agile, and harms functionality
87. * **Security is not considered because people don't understand the outcome of being attacked**
88.  
89. ### Conclusion and discussion
90. * Password cracking being so efficient, perfect passwords sound impossible. They don't actually have to be perfect, just good enough to be a deterrent, combined with proper habits and your data will stay safe/secure.
91. * Passwords are a convenience/complexity tradeoff
92. * Even then, the dreaded post-it exists
93. * 2FA is also hard to pick up, even though it's only 6 characters
94. * Sometimes, passwords are ditched in favor of fingerprint or face recognition
95.  
96. * Saying that something is insecure doesn't help if no solutions are offered.
97. * "If the competition doesn't do it, why bother?"
98.  
99. ### Tradeoff triangle
100.  
101. * Quality **And** Low Cost = slow
102. * Quality **And** Fast = Expensive
103. * Fast **and** Low Cost = low quality <- this is the preferred way by average developers
104.  
105. ### GDPR
106. * Taking into account the state of the art, the cost, the nature, score, context... you **must** implement security measures to protect your users
107. * Privacy and security are important, act upon them
108.  
109. ### Takeaways 2
110. * Humans are the weakest link, *again*.
111. * 25% of data breaches are human errors
112. * IT Security programs must be put in place like physical security keys and employee education
113.  
114. ### Takeaways 3
115. * Rules existing don't mean that they are enforced.
116. * There must be incentives to respect the rules, if they are not enforced, they are not effective.
117.  
118. ### Takeaways 4
119. * It's all about balancing security, means, and convenience
120. * What's a consultant?
121. * Someone that's experienced at doing that.
122. * How do you *measure* security?
123. * Budget-wise?
124. * Breach-wise?
125. * Objective-wise?
126. * somethingelse-wise?
127. * **Perfect security does not exist**
128. * Pick your battles
129. * Know what to focus on
130. * Good advice can be ignored, it doesn't mean it shouldn't be given
131. * You can have godlike computer security, walking in and stealing papers can do as much damage, physical security is also important
132. * Layer your defenses