Keeping First Things First: Maintaining a security focus in a media-driven world
What concerns us in security?
Keeping sensitive data secure, regardless where it is
stored
System integrity – patches and configuration
Keeping critical systems available
Managing the Roman Army
The Imperial Roman Army of AD 30-248 was a standing
professional army
Mostly heavy infantry, also Calvary sailors and marines
At its peak, consisted of over ~400,000 men (c: 3rd century)
The Praetorian Guard
The “special forces” of the Roman Army
Bodyguards of the Roman Emperors
Patrolled the palace and other important buildings
"Skytala&EmptyStrip-Shaded". Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Skytala%26EmptyStrip-Shaded.png#/media/File:Skytala%26EmptyStrip-Shaded.png
What was important
Confidentiality of messages
Accuracy and speed of information
Troop strength
Position
Status of supplies
Cursus Publicus
“the public way” δημόσιος δρόμος - dēmósios drómos
Courier service of the Roman Empire
Created by the Emperor Augustus
Used to transport official messages, tax revenues, and
some military communications
What was important
Confidentiality of messages
Accuracy and speed of information
Integrity of messages
Seal boxes
Bronze boxes used in combination with wax and a seal
(ring or other device) used to ensure the integrity of a
message
The information security challenges
faced by the Roman Army are the same
challenges we face today…
except…..
How does the media drive the
security discussion?
Sensationalism….
http://www.pcworld.com/article/2859283/heartbleed-shellshock-and-tor-the-13-biggest-security-stories-of-
2014.html
How does the media drive the
security discussion?
Sensationalism….
Dramatic predictions….
http://arstechnica.com/security/2014/11/potentially-catastrophic-bug-bites-all-versions-of-windows-patch-
now/of-2014.html
How does the media drive the
security discussion?
Sensationalism….
Dramatic predictions….
http://www.huffingtonpost.com/peter_schwartz/end-of-internet_b_5856168.html
How does the media drive the
security discussion?
Sensationalism….
Dramatic predictions….
http://www.darkreading.com/risk-management/the-(not-quite)-end-of-security-on-the-internet/d/d-
id/1075199?
How does the media drive the
security discussion?
Sensationalism….
Dramatic predictions….
If it bleeds it leads….
http://www.bbc.com/news/technology-269545401075199?
Making tech sound scary…
CVE-2015-1538
CVE-2015-1539, CVE-2015-3824, CVE-2015-3826,
CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829
Android “Stagefright”
(Some of the)
Top Security Stories of 2014 According to PCWord.com
“The 13 Most Momentous Security Stories of 2014”
Sony Pictures Hack
Probably North Korean hackers
Stole employee data
Another breach of names, SSNs, salary data
General Internet security impact: Low
Heartbleed
Two year old, previously unidentified bug in OpenSSL
Very few confirmed data breaches
“Heartbleed forced millions of people to change their
passwords across a variety of websites.”
(In reality, it forced thousands of security professionals to spend
thousands of hours explaining to server admins why they had to put in a
patch over the weekend)
General Internet security impact: Moderate
Shellshock
Vulnerability in BASH (born again shell)
Fairly serious remote code vulnerability
No significant number of known compromises
General Internet security impact: Moderate
The Death of TrueCrypt
Who cares?
Only security geeks use it
Several other options available (VeraCrypt)
General Internet security impact: Nil
Bad USB
Security researchers discovered a way to re-program USB
firmware
Could turn a UDB drive in to a keylogger or malware delivery
mechanism
Could be bad if someone breaks into Kingston, PNY, SanDisk,
or Lexar
Only my daughter uses a USB drive to store her homework
Oh, wait, ISACA distributes Geek Week presentations on a USB
drive
General Internet security impact: Low
Software/web app security
“If planes, trains, automobiles were built with the
same quality enterprise applications were built, we’d
all be dead by now.”
Vulnerability testing
Secure coding practices
Baking in security, not bolting on later
The Internet of Things
“Experts estimate that the IoT will consist of almost 50
billion objects by 2020.”
Does Maytag have secure coding practices for their
network-connected refrigerator?
Is Symantec planning on deploying anti-malware
security for your washing machine?
A BotNet of 50 billon is scary!
(Yeah, that’s a little sensational)
Data, data, everywhere
“The interesting thing about cloud computing is that
we’ve redefined cloud computing to include everything
that we already do. I can’t think of anything that isn’t
cloud computing with all of these announcements.” (Larry Ellison)
The traditional perimeter is gone
Security must focus on the protecting the data, not
just the systems
Who has access, when, from where, and what are
they doing?
“We don’t need no stinkin’
patches!”
Patches & configuration management
Application dependencies keeping
upgrades from happening
Poor asset management
Not knowing what you have
and it’s current state
Monitoring, Threat Sharing, and
Indicators of Compromise
What are you doing to detect potential (or actual) data
breaches?
Are you subscribing to threat-intelligence data feeds?
Do you have adequate data and network monitoring
tools?
Do you participate in industry-specific
information sharing?
“75% of attacks spread from Victim 0 to
Victim 1 within one day (24 hours).” (Verizon DBIR 2014)
How to maintain focus…
Build relationships within a professional network of trusted partners
Subscribe to closed source threat feeds
Use reliable sources for security information, not bloggers or the media
Figure out what threats will affect your business the most and focus on those!
Write them down
Update periodically
Establish a “risk tolerance”
Keep the fundamentals of security in mind