Collapsology: Why your biggest threat isn't exposed RDP

hello besides perth i'm error buffer overflow or buffy for short today i'll be walking you through three different societies exploring their successes failures and reasons for perseverance and drawing parallels between these empires and modern day security culture i'll also provide a set of tools to help you identify similar issues in your company's security culture which brings me to collapseology a transdisciplinary study of risks that result in the collapse of empires and just as a heads up today we will be talking about some of the toxic parts of workplace culture so that might bring upon some bad memories for some of you our first stop today is the neo-assyrian empire which at the time was the largest

empire of the world they were located in the near east and had control over modern-day lebanon syria parts of turkey and egypt the empire was established in the 10th century bc and ultimately collapsed in the seventh so let's take a look at one of the key influences that resulted in the fall of this empire and lessons we can learn from their failure and what we can do to prevent the same fate so after the death of the king of assyria in 631 bc there was a lot of political instability and ongoing civil war between many of the occupied territories as they fought to gain independence from their middle managers i mean rulers the rulers of the time even wrote about

their fears of internal danger palace intrigue and rebellion but what made management's situation worse was that the assyrians gained most of their territory through a show of military dominance and were notorious for resettling conquered people to other areas within the empire which resulted in pockets of resistance so while most modern organizations don't collapse after the murder of their ceo or grow by placing armed militia outside corporate headquarters we can see modern-day equivalents of palace intrigue and rebellion in the modern day these types of political threats occur when interests and agendas collide in a way that has an impact on the organization's ability to operate and this is the same for security teams one of the most common political threats

i've observed is turf wars when managers or employees engage in competition for bureaucratic control of resources or the advancement of individual or organizational goals you've probably seen in the organizations you've worked in where silos or particular managers stand above the decisions of security or decisions are con consistently undermined in other cases security management might even cease to exist or it may be relegated to a small security team with no authority to enforce security decisions when i was a pen tester i would see turf laws play out on onboarding calls where the team in charge of provisioning access would challenge or cause delays in getting started because they didn't like that another team had procured penetration testing

when i moved into governance i saw obvious signs of turf wars during risk assessments when the security team would lament that security objectives were being sidelined for product delivery even when they were clear drivers the result was always the same though low risk acceptance with slow moving security programs a large highly risky security backlog with a prevalent shadow i.t problem the other threat that appears when talking about politics is vendor bias and this can be anyone providing goods and services including open source this threat takes many forms from consulting companies pushing products that aren't adequately matched to the company to organizations that swear by a particular vendor or hate a vendor to the point it becomes a detriment

it also takes the form of organizations refusing to buy a product because there are similar open source variations forgetting that you pay for this software in other ways and while there is some accountability required by the businesses seeking out vendors it can be very difficult to get unbiased information if you have a small or inexperienced security team and this is the same in consulting the outcome of vendor bias though is rational security decisions of being held hostage by forces that may not be fully articulated or even understood by the organization you may end up having to devote resources and budget to work arounds to get technology to match security requirements and security teams may deny themselves

the best solution because they've decided that they dislike the provider on personal grounds internally the organization may find itself behind the ball on skills and innovation by continually supporting vendors out of a sense of loyalty or animosity to the competitor rather than using sound business analysis which can be a difficult debt to pay now there isn't much hope for the neo-syrian empire turning things around at this point but for organizations now you can reduce the likelihood of these political threats manifesting in similar ways the first tool we're going to look at today can help you identify that political back and forth it's called the competing security cultures framework and it's like the name suggests it can

help explain the conflicts and competing priorities that often create security risk and failure especially those brought on by politics but don't be fooled it's not a cure all and the framework doesn't pretend to fully describe or explain every organization's security culture in every dimension it's a tool for learning and exploration so people working within the context of an organization's security culture can learn more about that culture assign terms and concepts to it and identify areas of risk that emerge when security priorities and values come into opposition with one another so in summary if the assyrian empire was a modern business we could see how their management style would have incited turf wars as management looked to serve their

own goals by looking at how they left newly occupied territories unmanaged we can see how this would have encouraged smaller teams to make biased vendor decisions leaving their own teams under skilled and looking after impractical security tools and also likely resigning in droves i also think there would have been a massive shadow i.t problem as smaller teams work to maintain efficiency with small budgets and little oversight but for you though the competing security cultures framework can be used to help identify these cultural issues by providing you with the ability to describe and interpret the different ways that politics is impacting the security culture in the next section we're going to look at some of the success achieved by

another empire and what a highly reliable culture can look like and how you can identify similar qualities in your own organization by contrast to the assyrian empire the romans succeeded for nearly 1700 years and while it eventually collapsed when constantinople was taken by the ottoman turks rome's republican institutions left an enduring legacy influencing the city's state republics of the medieval period as well as early democratic republics the roman empire evolved from ancient rome and was founded in 27 bc we're in southern europe now where the roman empire has continuous territories throughout europe north africa and the middle east so let's take a look at what distinguished them from the assyrians and what tool we can use to make sure

our organization thrives like the roman empire once did i like to call rome a high reliability empire they maintain complex social structures and political structures with a constitution detailed laws and elected officials such as senators however unlike other empires of the time it wasn't as top heavy and they instead deferred to people who were closest to the issues of the time which helped by increased social mobility the roman army was also known for their sensitivity to operational activities working to balance the political outcomes of the empire a process of diplomacy backed by the threat of military action and their military engagement in order to defeat the enemy in the modern day though organizations that embody similar qualities are called

high reliability organizations and while they have less reliance on military presence they have continued to adapt to the dangerous and hostile environments that they operate in the qualities possessed by these types of businesses can be grouped into five principles that explain the qualities seen in the roman empire but also distinguish normal businesses to these highly reliable ones the first principle is the preoccupation with failure in most organizations failure is considered a universally bad thing and it should be avoided at all costs in highly reliable organizations there's actually a drive to identify these failures at all costs and as early as possible using small failure as a tool that can be used to allow to avoid larger

disasters like the roman empire there is also a reluctance to simplify but it's not to be mistaken with complex is good high reliability organizations maintain a healthy respect for the complexity and unpredictability of their environment and seek complicated answers backed by observation and data and like the romans military there is a sensitivity to operate operate operations high reliability organizations put equal emphasis on the tactical requirements that make strategy work and leaders don't just do the vision thing leaving everyone else to hammer out the details instead they focus on gathering data and knowledge from a variety of sources to make the links between strategy and operations what drives their success you'll also see in highly reliable

organizations a commitment to resilience and that's because they'll know that they'll experience failure at some point and instead of worrying they'll put time and effort into imagining how that failure will occur and what they should do when it arrives these highly reliable organizations also demonstrate the ability to defer to experts hierarchies are important to highly reliable organizations but not when they hinder people so instead they focus on skills and judgment of people who are closest to the systems in question to gather data and feedback which helps form their strategies and this brings us to the second tool for today the security force behavioral model which measures the qualities we just discussed and maps them back onto

your security program allowing the business to transform a typical security program into a highly reliable version of itself this transformation can help businesses reduce the number of large security failures and improve recovery time from failure but a high reliability security program isn't a label that the security team puts on itself it's something that it does it's very similar to duck typing if it looks like a duck walks like a duck quacks like a duck and has the dna of a duck it's a duck this model just defines what it means to be a highly reliable duck so there are two parts of the model the first is a survey that can help you assess whether or not employees not just

the security team believe that the organization has a highly reliable security program the survey is made up of 25 statements divided into five sections each representing a value that we just discussed respondents are asked to state their level of agreement with each statement from strongly agreed to strongly disagree like the competing security cultures framework it is a generalist tool so it's flexible in its application and how results can be charted and because highly reliable security programs aren't organization aren't in organizations where security is both highly centralized and isolated if you are using this survey it's really important to cast the net wide to make sure you get a good mix of opinions the second tool is a set of measures for

each of these values it's made so that you can gather data regarding how well you actually embody the behaviors in practice the metrics measure things like the number of security failure scenarios developed in the past year the average time to organization decision from idea inception to idea execution and the number of security related training opportunities provided to people and so on these metrics are designed to assess highly reliable security program related traits and compare them over time so when they're charted the metrics will tell a story of behavioural change and artifact creation providing empirical evidence that the organization is actually changing behavior rather than creating artificial artifacts to tick a box or please an auditor

i had a long think about this and i decided that if the roman empire was a modern business it would be a story very similar to that of code spaces who offered developers source code repositories and project management services using git or subversion they'd been operating with great success for seven years and had no shortage of customers but in 2014 they had their amazon elastic compute cloud control panel breached and ultimately destroyed by hackers and so much like the roman empire where they embodied high reliability and success in some ways when you take away being adept at failure or protect practicing the value of resilience it's easy to see a once thriving empire topple overnight

because high reliability security programs are less about how organizations succeed at security and at the core it's really about how they fail at it in very particular ways and under very specific circumstances so you'll notice that a majority of security programs even very mature ones will often find capabilities as strained when it comes to failure because they rely on being robust and never having to experience that failure unlike the roman empire though you have the security force survey and metrics to drive change in habits and behaviors adopting new ones that will make large failures less likely and to help your team respond better so far we've explored how the assyrian empire fell because of politics while

the roman empire had limited success because they embodied only some of the qualities of a high reliability empire so now we're back in the modern day and the empire we're actually going to look at now is yours and we're going to look at what the future could hold if security threats go unchecked and how we can identify them before it's too late i'll make a safe assumption that because we're at a security conference most of you have had some sort of interaction with security in some way whether that be with security engineers governance and risk teams or security consultants you might even be the security person or make up a larger security team so as we go through this section i want

you to analyze how security decisions you've been a part of have been made or how decisions you've seen been made have been handled and see if you can see these threats lurking in the background now the security culture collapsologists can't be sure how successful your organization will be because the nature of collapsology tends to be retrospective but we can heed their warnings and try and avoid a similar fate we can do this by understanding how employees at your organization view the security culture and look to explore this territory identify threats and treat them to ensure that your security empire stands the test of time one of the most common and threatening logistical threats i've observed is

incompatible outcomes and i say it's one of the most threatening because it regards strategy for example how bring your own device is introduced or managed or how organizations migrate to the cloud or introduce new features into their product when strategy is managed properly by involving people closest to the problem there's a mutual understanding and respect for opinions and the threat of incompatible outcomes can be largely mitigated but when product delivery isn't properly balanced with security and privacy controls especially when imbued with political emotional and psychological threats they can grow into serious security issues promoting shadow i.t encouraging people to circumvent security controls there'll also be a lack of accountability and lots of finger-pointing when things go wrong

and not even large technology companies are immune to this as we can see when apple looked to induce introduce client-side media scanning which concerned a lot of security and privacy experts while slack attempted to roll out its private message any one feature that was quickly rolled back over privacy and harassment concerns in your organization though this can be the sales team promising clients new features without consultation or engineers rolling out features without security or privacy sign off and it's a very common and ubiquitous problem it's also seen internally when governance teams enforce controls and employ employees without any regard for their impact on workflow which results in users relying on shadow i.t to get the job done

this threat degrades businesses to the point of creating a sense of false choice where every concession to the business is seen as a loss for security and every security initiative is seen as a blow to business efficiency instead of being treated as joint outcomes that can bring value to everyone when properly managed but logistical threats aren't the only ones we need to worry about because we also have emotional threats specifically fear uncertainty and doubt which i think is something that resonates with a lot of people right now when working as a consultant it was common to have clients call about the latest security news cycle whether it be the solarwinds supply chain breach a principal vulnerability or the

exploitation of public remote desktop services to ransomware businesses the media's ability to spread fear uncertainty and doubt is ubiquitous and it can have a major impact on the businesses ability to establish and deliver a long-term cybersecurity strategy especially when it's captured leadership's attention and so it's not to say businesses shouldn't address certain risks as they become public but it's not an effective way to run a whole program and each risk needs to be weighed up and if needed the roadmap adapted so while it seems attractive to point to the rising cost of security breaches as evidence we need to spend every moment and every dollar on improving security it is an incompatible outcome with running an effective business because

features won't ship and it will be easy for a competitor to start providing a better service fear and uncertainty can also be an excuse for security teams to say no to every piece of innovation driving engineers to circumvent security to get new ideas off the ground so if these emotions are allowed to rule it can make unreasonable security decisions seem perfectly valid and justified which can make managing security on a daily basis a lot harder the last threat we're going to look at is a psychological one and it's a big one with lots of dimensions it's bias it can be introduced by generation education geography or culture not only at an organization level but also at a

national one and each takes a particular way to resolve and the jurassic causes can become more apparent when leaders aren't sufficiently managing differences in how people process information interact with technology learn and approach their own knowledge gaps a really common example is in communication style which can be exacerbated by culture gender role or education we also see these differences discussed in how we as an industry write job descriptions blog posts and engage people in discussion generally with a lot of debt domain specific words and with a very heavy sense of contempt which can limit who can be included but also who feels included and we can't forget the impact that the dunning-kruger effect can have when

someone starts to overstep their knowledge and offer up advice on areas they know little to nothing about the threat posed by bias can be a difficult one to resolve especially if people aren't willing to acknowledge their own and management is complicit in encouraging it but we have one more tool up our sleeve to help us chart these threats the security culture diagnostic survey it provides a means of visualizing the tension between information security stakeholders priorities and the values that exist in every organization and maps back onto the competing security cultures framework we discussed at the start keep in mind like a lot of cultural based things i can't tell you how to read the results and the survey isn't

going to tell you what's going right or wrong because culture is a very relative and contextual thing but it will help you understand how cultures can co-function and collide the survey is made up of ten questions each with four responses that align to the four quadrants of the competing security cultures framework with questions corresponding to key organizational activities that influence and are influenced by norms and behaviors central to information security culture but when you go through these questions you will notice that most of them don't actually mention security specifically and that's deliberate security culture is not is about how hidden assumptions under the surface influence how we do our job not how the security team looks at security

and so the response choices allow the respondent to differentiate between the relative importance of stability and standardization external validation and review adaptability and freedom of choice and a sense of shared community and responsibility when grafton overlaid with the competing cultures framework you can see what perception looks like compared to reality the thing that i love about this survey is that it's so versatile and depending on how the results are charted you can see so many different stories being told to the right you can see how the results of an organization organization-wide survey can be mapped onto a radar graph to show which factors people see as the most prevalent and where there might be room for improvement

in this last section we looked into the future and saw how unmanaged logistical emotional and psychological threats can manifest and what outcome they result in with logistical threats impacting how people interact and craft strategy emotional threats defining how we assess emerging security vulnerabilities and handle them on a day-to-day basis and psychological threats affecting every aspect of how we interact with people around us and can encourage group think but the security collapsologists have armed us with a tool that can help us identify these things in the form of the security cultures diagnostic survey which asks respondents to express how they seek key security operations balanced by the business giving us an opportunity to map out the present and plan for the future

we've talked about a lot of different tools and what they can do to help us but how do they fit in all together the culture framework and survey gives us a top-down view of the security culture allowing us to orient ourselves amongst the organization's values and assumptions it tells us areas of competition and cultural risk it allows security leadership to look at where the organization currently is and decide if directional change is needed but it won't tell you how to make these changes because there is no one way and using methods that work for one organization can have a devastating effect on yours in comparison the security force behavioral model is designed to provide a bottom-up perspective analyzing how

security behaves in practice and influences how this translates to group-based values the behavioral analysis is important because as an organization you can't redefine your security culture by only changing behaviors you also need to understand those drivers at the same time you need to have some idea of what behaviors to look at and improve if you're ever going to know whether transformation is going to be successful or not and this consistent cycle between culture and behavior is at the heart of the relationship between the competing security cultures framework and the security force behavioral model influencing culture requires a lot of work to get right and as they say rome wasn't built in a day or by one person

depending on the state of the existing culture there could be a lot of work and there might even be pushback from your co-workers who value the status quo or managers who benefit from existing power imbalances so if you're the primary advocate in an unhealthy culture it may not be possible for you to change much and that's not a failing on you before starting it's important to make sure you have the capacity to manage those internal and external expectations and to set firm boundaries about what is and isn't possible once you're ready to take on the job of influencing cultural change i challenge you to go and talk to your engineers developers and designers about what

problems they see with security don't argue don't justify just listen focus on their needs and critically analyze how security is impacting them and start monitoring that informally at first in most cases i've seen security often loses out in decisions when the decision makers are far removed from people who are actually responsible for security and so part of the job in running this project is to bring decision makers back into the fold to help get buy-in to a project like this and once you have that you can start to measure and analyze the security culture to a level where you know enough about it and how it works to make changes that will stick and that you can demonstrate

have stuck culture requires someone to look around and identify those behaviors and threats that have beared witness to the rise and fall of empires and it's these things that undermine every decision we make without knowing it it's the reason management protocols like rdp end up on the internet and even on the good days within the best companies these factors are still a massive force when it which is why culture is still one of the biggest threats that will face the security industry it'll persist regardless of code analysis firewalls and third-party assessments i'm buffy this is collapsology and why your biggest threat is an exposed rdp thank you and have an amazing conference