[CB16] Keynote: How much security is too much? by Karsten Nohl

SRLabsTemplatev12

Howmuchsecurityistoomuch?

Dr.KarstenNohl<[email protected]>

Whatyouwilltakeawayfromthiskeynote

2

1. Hearfromasecurityresearcherandpractitioneraboutwhichprotectionsworkandwhichareunnecessary

2. Abetterunderstandingofthesecurity-innovationtrade-off

3. Someideasfordeployingeffective(butneverperfect!)securitymeasures

Howsecurityprosviewthemselves

3

vs.

4

Productsecurity Informationsecurity

Removehackingrisksforyourcustomers

Protectyourownsystemsfromhacking

WeaskthequestionHowmuchsecurityistoomuch?intwoareas

A B

Agenda

5

1 Securityresearchers*takeextremepositions

2 Manycompaniesonlyreacttoextremepositions

3 Thesecuritycommunityisfightingvulnerabilities,notrisks

Informationsecurity

Productsecurity

*Asreportedinthemedia

A

B

TerribleyearforiOSsecurity,right?

6

Pegasusmalware

FBI-stylehardwarehacking

YouriPhonegettinghackedisratherunlikely

7

Pegasusmalware

FBI-stylehardwarehacking

- 1billioniOSdevicespossiblyvulnerable

+ Onlyone(!)attemptedinfection

+ Applepatchedthevulnerabilitywithin10days

- Hackisnowpubliclyavailableatlowcost

+ Onlypossiblewithhardwareaccess

+ Onlyworksagainsttheoldest22%ofiPhones(5candolder,March2016)

Sourceforgraph:http://info.localytics.com/blog/how-will-apples-newest-iphone-impact-mobile-engagement

iPhonemarketbreak-down[Apr2016]

65S6S6Plus6SPlus55C4S4

Agenda

8

1 Securityresearcherstakeextremepositions



ProductsecurityA

9

Android 654.44.3(andolder)

Hackeddevices vs.marketbreak-down(%)

0 50 100

Marketbreak-down

Hackedphones

~2%hacked

Nothacked

FewAndroidphonesgethacked;thosethatdoareoutdated

Source:developer.android.com/about/dashboards/index.html ,https://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf,

Shouldmobilereallybeachiefsecurityconcern?

10

<0.1%~2%

(<0.2%forcurrentdevices) 20-40%

iOSinfectionrate Androidinfectionrate Windowsinfectionrate

http://www.pandasecurity.com/mediacenter/src/uploads/2016/05/Pandalabs-2016-T1-EN-LR.pdf

CompaniesInfoSecprioritiesarenotalignedwithactualincidents

11

vs.

1. BuyiOS securitysoftware

2. BanorlockdownAndroiddevices

…

10. DosomethinguncreativeaboutWindows security,likeupgradingantivirussoftware

1. Windows

2. Windows

3. Socialengineering

4. Windows

…

100.Android

ILLUSTRATIVE

TypicalcorporateInfoSecpriorities Actualendpointhackingincidents

Agenda

12

1 Securityresearcherstakeextremepositions



ProductsecurityA

Yourtimeisbestspentprotectingfrommostlikelythreats

13

Low Medium High

Vulnerability/Hackingease Hackerincentive Damage Risk

Don’tbotherprotectingyourInternet-connectedcomputersfromBadUSBbeforeyousolvedthemalwarechallenge

InfectcomputersfromUSBfirmwares

Localattackpropagation

(Variesbysystem)

InfectWindowsthroughe-mailattachmentsormaliciouswebsites

Remoteinfection (Variesbysystem)

BadUSB

Targetedmalware

ILLUSTRATIVE

Nextbighackingfrontier:Cars?

14

Securitycautioncandelaysafety,andultimatelykillpeople

15

0

1

2

3

4

5

1970 1980 1990 2000 2010 2020

Carfatalitiesper100millionmiles[US]

Autonomouscars?Airbags

Adaptivecruisecontrol

ABS

ESC

§ Ifwetestallnewcarcomponentsforhackingrisks,wedelaytheirintroduction

§ Adelayof3monthsduetosecuritydesignandtestingmeansmorepeoplegetkilledontheroad

§ 200.000 morepeoplediewithinthenext10years

SOURCE:https://en.m.wikipedia.org/wiki/List_of_motor_vehicle_deaths_in_U.S._by_year

Agenda

16

1 Everybodybreakssecurityrules(butwedon’tusuallytalkaboutit)

2 Unpopularsecuritycontrolsarenoteffective,andworse:theyinhibitinnovation

3 Forsecurityor innovationtowork,weneeduser-friendlysolutions

4 Threatmonitoringisuser-friendly.Itincreasesmotivation,productivity,innovationand security

Productsecurity

InformationsecurityB

A

Restrictiveprotectionsareeasilyandoftencircumvented

17

Standardcircumvention

Skypetunnelsitstrafficthroughwebproxiesandregularlychangesitsserveraddresses

Standard“protection”practice

Blockeverythingelseatfirewall

Corporateuser

Internet

✗

Funnelwebbrowsingthroughproxyserver

Largehacksareoftentheresultofprotectionscircumventedbypeoplewho“needtodotheirjob”

18

Hackingcase

Target lostcreditcarddatafor300millioncustomers

Rootcause

ATargetsupplierinstalledaremoteaccesstooltotunnelintotargetnetworkformaintenance

Target’s CEO Steps Down Following The Massive Data Breach

Agenda

19

1 Everybodybreakssecurityrules





20

Casestudy– typicalEnterprise/SOA busevadesclassicnetworksecuritytechniques

21

Low-levelprotectionsthatdonotpreventapplevelhacksarenotshown:firewalls,IPS,proxies,andSSLgateways

Servicebus

Authenticationserver

Criticaldatabases

Userrequestsareoftenpassedonallthewaytocriticalservicesonthebus

Externalandinternalusers

Webapplicationfirewall

(unmanaged)

Applicationservers

App

App

Circumventingrestrictivecontrolsoftenisnetpositive

22

Area Incidentexample Cost

Destructivedamage

§ Scadahackdamagesfactory 10m 2%

Lostrevenue § Majorgovernmentcontractdoesnotclose

50m 1%

Imageimpact

§ Majormarketingcampaignneededtooffsethackingimpact

§ Smallercampaignneededtooffsetsmallerhackingimpact

15m

1.5m

1%

10%

Competitivedamage

§ TheftofmajorIP(patentapplication,designdocument)

§ Negotiationdetailsstolen(M&A,long-termcontracts)

5m

2m

10%

10%

Effectivetotalcostperyear <2m

Likelihoodperyear

Trade-offfunction. Investuntildamageelasticity=incrementalprotectioneffort

Securitycansavemillions vs.

§ “Billiondollarideas”mostlygrowfromcreativepeoplefreelyplayingwithinnovativetechnology,whichistheoppositeofwhatsecurityoftenaimsfor

§ MicrosoftpaidUSD9billiontobuySkype,atechnologytheMicrosoftpolicieswouldnotallow

§ German“Datenschutz”vs.SiliconValleyprofits

Trade-offfunction.Protectuntilandaslongasinnovationcanflourish

Restrictivesecuritycandestroybillions invalue

Toolittleandtoomuchprotectionhindersinnovation

23

Damage Protectioneffort Innovationpotential

Incidentsspreadfear

Restrictions killinnovationenergy

Agenda

24






Less-restrictiveprotectionalternativesoftenexist

25

§ Manycomplexpasswords

§ Webproxyblocklists

§ Noadminrightsforusers

§ Corporatephones(Blackberrys)

§ Endlesspentesting

§ Securitypolicy

§ DLP

Restrictiveprotections

§ Single-sign-onusingsmartphones

§ SSLterminationandmonitoring

§ Processmonitoring

§ BYODwithActiveSyncandVPN

§ Bugbounties

§ Awarenesscampaigns

§ Awareness;orsimplymoretrust

Innovation-friendlyalternatives

Wherenorestrictivealternativeexists,closeriskmonitoringmayallowyoutokeeprestrictiveprotectionswitchedoffuntilariskbecomesreal

Agenda

26



3 Forsecurityorinnovationtowork,weneeduser-friendlysolutions



ForestorTrees?(SecurityMonitoringishard!)

27

SOCramp-updeliversfastresultsonlyintop-downmanner

Bottom-up – Start with data Top-down – Start with threats

18 months Days per use case

Forensically investigate incidents

Start with most relevant threats

Create tailored use cases

Collect only data needed for current use case

§ Add advanced use cases§ Generate alarms

§ Become familiar with data§ Integrate more sources

§ Collect available data sources§ Create simple use cases

28

vs

Takeaways

29

Questions?Karsten Nohl <[email protected]>

2

3

4

Thelargestrisk-costtrade-offisbetweenrestrictionsandinnovation potential

Often,innovation-friendlyalternativesexistthatcanreplacerestrictivechoices

Risks needtobemonitored andmanaged:“Protectionfromeverything”killsinnovation,therebykillstheverythingsyouwanttoprotect

1 Wechaseaftervulnerabilitiesinsteadofrisks byforgettingabouthackers’incentives

[CB16] Keynote: How much security is too much? by Karsten Nohl

Technology