The Threats to Our Community by Avi Douglen

[Music] [Applause] [Music] [Applause] so while i sort this out i'll uh get started because i'm really really excited to be here and it's not just because it's less crowded on the side of the stage is a really special talk for me it's not a standard security talk it is a security talk but it's not about security it's about the security community still no screens and i think the security community compared to other communities is uniquely positioned to apply our security skills to the very fabric of our community itself to build a more secure community and we're going to talk about that as soon as we could talk about threat modeling well who here is familiar with threat modeling quick show of hands who's heard of threat modeling other than just now there's a good show of hands that's pretty good not everybody threat modeling is basically a way it's a structured framework to think about security of your system to do a structured security analysis of a complex system there's a lot of different approaches a lot of different ways the uh going back to some of the old folks in the room might remember a famous paper from 1999 by lauren and prairie working at microsoft put together a paper called the threats to our products and they basically laid out this structured framework of how to do threat modeling and they introduced something called stride which we're going to use without this good to go yay all right so that's threat modeling who here thinks community is important come on a little bit more than that we're at b-sides who thinks committee is important yes community doesn't just happen people work hard at it round of applause for everybody working on b-sides they work hard at it but i want i want to take these techniques of threat modeling of security analysis which is one of the best ways to analyze a complex system and apply this to one of the most complex systems i know which is a community and apply this to build a more secure community that's exactly what we want to do quick introduction to myself actually omar pretty much said everything my name is avi duglan you can find my internet face bouncing around contact details if you want to reach out to me my pronouns my day job i do security consulting at a small boutique called bounce security but i am more active in several different communities as omar said i'm one of the leaders of the oasp israel chapter i'm on the global board of directors of owasp if you have any complaints about oauth feel free to send them my way i probably won't be able to do much about it but feel free to complain that's what we do best i'm also a community moderator on the security stack exchange site it's the stack overflow site for security fantastic resource with a large community global community that actually built up around this site as well so i have quite a bit of experience with different kinds of online communities i'm also one of the co-authors of the threat modeling manifesto which is a great way to get started with threat modeling or to upgrade your existing practice to something even better you're gonna go to threatmodelingmanifesto.org if you have seven minutes you could read through it twice and it's really interesting to to see how to scale up better and whatever approach you take to threat modeling but what is threat modeling right this isn't going to freely borrow from the manifesto i feel comfortable doing that since i was one of the authors this little statement took us about three weeks to put together 15 people but what is threat modeling threat modeling is about analyzing representations of a system to highlight concerns about security and privacy characteristics the emphasis here is mine i have my own definition that i usually share with developer teams but this serves our purpose well here because it's about security it's about privacy right there's a lot of different things and it's about concerns we didn't say threats it's not a long list of bugs long list of vulnerabilities concerns things that we want to take care of things that we want to consider about how to fix how to make better and we do this not by testing the live system but representations we take an abstraction of a system this might be a diagram it might be the design of a system it might be some other description of it abstractions for those of you that not familiar with this diagram it's a classic picture of a world war ii bomber obviously the bombing effort was big deal for in world war ii for the allies a huge amount of aircraft fire losing a lot of planes i think 25 of the planes didn't come back and the allies said you know what let's collect some data about the where the planes are getting shot every plane that came back they marked down where the planes were getting shot and there's a good map of where the planes get shot i'm gonna put more armor wherever the planes get shot survive better it's a lot cheaper and makes more sense than flying an entire tank for sure but right before they did that they realized they fell into a very common trap called survivor's bias they were only looking at the planes that came back so this is actually a really good map of where you don't need to put armor on the planes because all these places are a place where the plane will get shot and still come back we're a lot more concerned about the planes that don't make it back so they need to put armor everywhere that you don't see bullet holes because if the plane got shot in the cockpit it's not coming back that's where they need to put armor in the same way we don't need to care about every possible attack we don't care about people not trying to attack our system we care about the attacks that get through we care about the attacks that actually impact whatever value we have in our system whatever data we have whatever records we have we need to think about how these attacks work and how these threats affect our system so why do we want to be doing threat modeling it makes you a lot more efficient whatever you're doing if you're building a simple web form application deep technology machine learning bug bounties pen tests whatever you're doing threat modeling it the system you're working on will help you be a lot more efficient it'll help you focus on the parts of the security that actually matter the ones that will give you the most value it'll help you make more informed decisions over time and there's this concept of the shared understanding of what security actually means for our system everybody familiar with the parable of four blind folks describing this great big thing that they found in the room and one of them says there's this big pillar i can't move it the other one says i keep bumping my head on this leathery surface over here and another one is complaining that there's this feather keeps slapping her in the face and another one says this hoes just stole my hat and they don't realize they're all talking about the same elephant very often with teams we'll see that in the same way everybody has a different idea of how the system works of what security actually means to us threat modeling gets us reading on the same page in the same direction and understanding and agreeing what security actually means to us in our context i'm going to pull one best practice out of the manifesto there's a bunch of others but this one i really like in our context to really have an impactful threat modeling practice you need to have a culture of finding and fixing issues it's not just enough to say okay we're gonna go look at these things but you have to have a culture built up around of actually fixing the issues and the problems that you find and there's a lot of different methodologies a lot of different approaches whatever you take whatever you decide to use you're going to need to answer these four questions sometimes we call this adam showstax framework adam shellstack is practically the godfather of modern threat modeling literally wrote the book on it uh years ago when he was at microsoft and as a co-author of the manifesto we actually adopted this into the manifesto as well because threat modeling is about answering these four questions number one what are we working on what are we building is it the system is it this diagram is it is that feature or that kind of security what is the system that we are working on number two what can go wrong these are the threats the concerns the assumptions we might have about the system number three what are we going to do about it it's not just about generating a long list of vulnerabilities it's about actually making a more secure product a more secure system and like any process we need to ask ourselves did we do a good job it makes sense and we might analyze a system it's a online system we might use something like a data flow diagram a dfd and you got your processes and your data stores and your data flows going everywhere and it gives you a really good view of how the system works the different components the interfaces between them and how everything could the architecture how things work and what crosses crust boundaries and we can analyze this diagram in a really effective manner another approach excuse me another approach to analyzing system is based on the value chain what i like to call the value-driven approach and this is focusing less on the vulnerabilities but more on the value right number one why are we working on this what is so important here about this system what value do we get out of it again if you're building a feature are we doing this usually it's to follow the money sell more product maybe it's to get more eyeballs on my cat blog maybe it's a literal chain with a diamond hanging on that you're going to steal at the end of the movie right whatever it is you want to understand what the value is what you're after and then we could ask ourselves well how do we get there from here how does this that we're working on actually produce that value as a direct value chain and then we can just go ahead and say well how do we protect that value chain how do we make sure that that actually happens right now when we're trying to find the issues the what can go wrong the threats a common framework for this is known as stride introduced in that 1999 paper stride is a mnemonic it stands for spoofing tampering remediation information disclosure valve service elevation of privileges good repeat that in a second but it's important to realize that this is you know six different categories of types of attacks that an attacker might be looking for what their goals are to do in your system what are they looking to do but it's not a classification scheme it's all about structured brainstorming to help you focus on asking the right questions to understand what it is you're looking for and you could ask tons of questions tons of questions kind of kind of like you're a five-year-old tons of questions to find what would happen if what would happen if what can i do within finding and finding additional very specific attack scenarios for each one of these classes of threats but again once you've found the threat you don't need to start classifying it which bucket does it fit in it's not that kind of scheme it's just about the structured brainstorming and spoofing spoofing is all about identity who am i who are you pretending to be somebody you're not tampering is about playing with data until something breaks trying to harm the integrity of that data repudiation is claiming you didn't do something which you ostensibly did claiming something didn't happen and making it a way that you can't prove it that i did do it information disclosure of course is uh harming the confidentiality of data denial of service is blocking the availability of the system and there's a lot of different ways to slice and dice this right it might be the whole server crashes it might be one module is not available you can't log in whatever it might be one user it might be all users there's a lot of different ways to look at this and finally elevation of privileges excuse me is all about authorization basically doing anything that you shouldn't be allowed to do and the way we do this is we go one bucket at a time once one of the stride elements at a time we go through that dfd that data flow diagram one element at a time and we ask very focused questions what kind of spoofing threats are there on this element what kind of tampering threats are there on that element and in this way we can find ask questions and find and identify a lot of those issues now this is a common framework i want to go ahead and take this framework and apply it on more complex systems real world systems an actual community now we need to ask ourselves whose responsibility is it to be doing this threat modeling thing well pretty much everyone and the interesting thing is that most people do some form of threat modeling in the real world they most people have some idea of what the threats are you're parking in a dark alley you're going to lock your car right you're buying a new house or building a new house you might be worried about the ground floor windows so you're going to put bars on the windows because you're worried about a velociraptor attack or thieves i don't know i don't know your life whatever zombies whatever it is don't talk to me about zombies the problem is that most people are not experts in all of those fields don't have rigorous structure for that that's why it's important to use this structured framework structured methodology that help you approach and design and design and understand the threat model of whatever it is you're working on and it's important to note all threat models are wrong some are useful this is not the original quote i like to mangle it as all threat models are wrong some are useful the threat model is not about perfection it doesn't need to be exact by definition we're dealing with abstractions so they're not exact what's important is that it is useful is useful to find and identify those security issues right it's fine that it's wrong as long as it is useful to us to find issues that we need to fix with that in mind i want to present a very wrong model a model that is not comprehensive not complete it's not any kind of formal model but it might be useful for us to help to think about how to deal with these threats that might be on a community first thing we need to ask ourselves what actually is a community we need to model the system we're working on before we model the threats well easy flippant answer is that community is a jungle it's pretty fitting here but truthfully you know it's a great theme for a conference it's not really the way you want to leave your lives you'd rather live in a more rule-based society where people respect the rules and are safe and you know you can address lots of different forms of communities but most pretty much fit into these principles number one the reason you're joining a community a community is to help each other that's why you're here right you're here to help each other do the thing whatever that thing is right here the thing is to learn security to do security better right every community will have different rules but every community has rules and everyone expect is expected to comply with them to follow those rules and in every community everybody contributes in some form in some manner and it's very important that all members of the community are important if you have members that are not important they're not really part of the community or maybe they're part of a parallel community because i mean that's really the point of the community we're here to help each other that's the point of it but if we're modeling a community as a complex system that really means that we need to treat we need to attend to people as if they are components of that complex system and like any complex system some components go rogue some components don't follow the rules some compute some components are not supportive of the community goals in security we like to talk about insider threats being a pretty big issue we need to talk about community insider threats as well now obviously for modeling a community a data flow diagram is not what really fit here it doesn't work we might want something more like a worldly map really interesting structure that helps you focus on the value flow between the components of the system focusing on who contributes who are the leaders who actually benefits from the different activities and the different contributions of the community and all the different levels of the flows of power dynamics between the different parts of the community between the different groups between the in crowds and and the outcrowds and so on all right now based on that we can now have this amorphous idea of a community and start thinking about what kind of threats we may find and you know i do want to say you know we're talking about real life actual physical threats so if you're feeling uncomfortable by anything i say you know if you feel like you need to step out that's fine i promise i won't be insulted and i apologize for making you feel uncomfortable but that's fine that said let's talk about spoofing threats spoofing is all about attacks on identity that's literally what spoofing is and there are all kinds of these kind of threats in a community and these are just examples this is not a comprehensive model in any way just examples of how to think about what we should be looking for the first example is pretending to be an expert on something you know what i'm not an expert on this this is definitely not my field there are people who are experts on social threats but i'm learning i want to share that but there are people get up and tell you they're experts and you know they claim to have certifications and and yet they have roles i mean how many directors of 8200 were there in the past year we all know people like that that pretend they're experts on things and they're really not another form of attack on identity is on other people's identity is misgendering right not respect not being respectful of their identity or dead naming when you use a person's uh pre-transition name that's not respectful is very harmful makes people feel attacked another form of spoofing putting your name on somebody else's work or claiming their ideas are yours changing their identity and then there's this whole idea of you know the good guy who's up there and and pretending to be the good guy who thinks they are the good guy and you get to things like the innocent lives project was which is a group dedicated to helping and preventing uh preventing child abuse that was actually run by an abuser which leads to a whole you know grooming conversation pretend to be somebody good and it's gotten to the point where somebody told me you know any middle-aged white guy that wants to talk publicly about these topics is probably a yellow flag right there and you know i can't blame them for saying that but let's talk about tampering let's talk about tampering threats and again it's all about attacks on integrity and there's a lot of different ways to look at what integrity means for a community for you know real life uh social uh environment one way to look at it and this is something that i have done in the past is my mistake mia culpa if you include somebody who produces or uh uh who produces software weapons and sells them to dictators who chase down and murder their citizens and you introduce that person as a speaker at your conference at your event and again this is something kind of a slow-moving mistake that i kind of my fault and i couldn't stop it once it got started it harms the integrity of that event and it did it harms the integrity of that organization long term and it does and this harms the integrity another way of looking at it integrity of truth misinformation right or de