1,734 views
HITB2012AMS Day 1 – Intro and Keynote
Introduction
Good morning everyone,
After spending a couple of hours on the train, picking up my HITB badge, meeting with some of the organizers and having a great evening hanging out with Steven Seeley, Roberto Suggi Liverani, Nicolas Grégoire, Andy Ellis, Didier Stevens, and some other folks, conference time has arrived.
With the conference taking place at the Okura hotel, the setting is brilliant and the view over Amsterdam is just phenomenal… well, at least from my room it is :)
The speaker line-up looks promising and I hope the talks will be as technical as I expect them to be (based on the descriptions). I look forward meeting old friends and making some new ones. The weather is just awesome, so if you’re at the conference and happen to see me… yes, I’m thirsty.
As promised, I’m going to try to take notes during a couple of presentations, and going to post them right after a talk has finished. The plan is to create individual blog posts, which should make it easy for you to see when new content has been uploaded. The official Twitter hashtag for Hack In The Box 2012 Amsterdam is #HITB2012AMS, make sure to keep an eye on that feed for updates about the conference. If you want to be informed when a new talk has been posted, just follow me on Twitter.
Anyways, it’s time for my first contribution at HITB… covering the keynote talk of Day 1.
Getting Ahead of the Security Poverty Line (Andy Ellis)
Andy Ellis, the CSO at Akamai, has the privilege to kick-start the 2012 edition of Hack In The Box Amsterdam.
Andy starts by mentioning that success metrics are often measured based on the number of phone calls you get at night. He continues by explaining a case where a very low-cost, low-tech solution was used to provide evidence to a jury in a murder case, because the CCTV system had a proprietary – and very buggy – player and they were concerned the player would skip the frames that contained the evidence, when played in court. They simply made screenshots of every single frame, put it in a powerpoint, and printed it out.
The Security Poverity Line refers to the fact that many organizations don’t have enough resources to implement perceived basic security needs. This often leads to the “I can’t even do the barest minimum to cover my ass, so I’d better not do anything but cover my ass” Security Substitence Syndrome. The reality is, Andy explains, that with every step forward, the undone work increases risk and makes future steps harder.
How to “measure” a security program ? Andy explains that Value = Resources * Capabilities. Resources = time + money. Capabilities = skill * effort * effectiveness. The environment where people need to work in, the guidance they will receive, is fundamentally important for the effectiveness of those people. Just having people is not good enough, you’ll need to use their capabilities in a good way. That also means they should get training or be able to attend conferences :). In other words, if you have limited resources, you’ll need to work on your capabilities and see what you can do with less.
How much security is “good enough” ? Businesses are all about taking risk, so to answer this question you’ll need to figure out how much risk you are willing to take. Andy identifies various levels of security values and explains that anything below the “Enough to fool the standard auditor” is below the security poverty line.
Usually, approaches below that line will probably decrease success over time, whereas other approaches might improve security. Of course, adversaries are getting better too, Andy continues. He mentions HD Moore’s law that suggests that “the better Metasploit get, the better everyone gets”. Andy uses the Low Orbit Ion Cannon tool as an example and explains that various versions were released and continue to get better. Everybody can download this tool and use it. We might be using all of these tools for security, but adversaries can perfectly use the same tools for malicious purposes. So if things are getting better for those people, companies need to find something to get better too.
One approach, often employed by people below the poverty line, to make security value better is based on the set-point theory of risk tolerance. This technique is based on incident handling. We think we’re safe now, we’ll fix issues when they happen, and we move on. In most cases, however, people don’t really remove risk at that time. This approach is based on perceived risk and the human nature to create some stable equilibrium. People will just accept the new level of risk, learn to live with it, and forget that things used to be better in the past. After all, the risk didn’t just show up, it has been always there, so let’s just increase the level we accept, absorb, and forget about. It’s a habit and becomes routine. The actual risk is clearly higher than the perceived risk.
A favorite technique employed by a lot of security companies is to scare businesses, try to make them believe risk is higher than what it really is. The only thing they do is increase the level of perceived risk, and not the actual risk. On top of that, there’s a fair amount of security theatre. Vendors will try to sell things and claim it will decrease risk, while it only decreases perceived risk. The often used technique is based on news articles. If a website in Azerbaijan gets DoS’ed, they’ll try to sell you DDoS protection tools. If a certain CEO loses some data, they’ll try to sell you a full blown DLP solution.
It’s clear that, if you are below the poverty line and don’t have big budgets, you may have to revert to using simple techniques. As long as you do the right things and focus on the right things, some easy/simple/low cost solutions may decrease the real risk level.
Security Awareness programs are often done wrong too, Andy continues. Auditors believe that if we just train employees with a basic security education, then of course we’ll have no problems. A basic, standard security awareness program is put in place, based on a simple web-based automated tool, and some additional targeted training is added for certain cases. Basically, a tool shows a nice page, people have to click the “I acknowledge” button and information is stored in a database. When auditors show up, you can give them a printout of the database. Of course, this has certain value, but the targeted training is what will make the difference. One of the things Akamai does is, when a targeted social engineering attack was discovered, employed via a phone call, a mail is sent out to all phone operators, with details about the attack.
A lot of companies start using cloud based solutions, basically allowing 3rd party companies to deal with your systems and data. In a typical process, the company defines requirements, evaluates vendors, selects a vendor and implements a solution. To do things properly, you’ll need to include security evaluation in the workflow, right from the start, and at every stage in the process.
To sum things up, it’s important to figure out what you can do what you CAN fix, instead of trying to fix all of the problems (or ignore they exist). You will fail if you try to fix everything. You will fail if you don’t fix anything. Pick a few targets and try to fix them without spending too much budget. If you do it right, you should be able to increase your security value over time. Be creative.
© 2012, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.