CG - Good Doesn’t Always Win: Understanding technical and enterprise tradeoffs in Cybersecurity

our next talk is understanding Technical and Enterprise tradeoffs in cyber security so without further Ado please welcome our speaker Vanessa Redman over to you good evening good evening thanks everyone for staying um for The Late Late talks for the end of the uh bides I hope everybody's had a good bides experience so far um we're going to talk about a topic that could take way more than 15 to 20 minutes so it's going to feel a bit fast um and that's okay you know feel free to come and see me and we can talk over drinks about this topic for a lot longer time for sure but hopefully this will just get you a good introduction uh to

the topic itself uh and have some key words in there that you would recognize and that you can use later on so today what we're going to be talking about we'll go through the obligatory who is is I have a little disclaimer rant won't take long I promise we'll talk about understanding the it landscape the human landscape and some classic examples that if you haven't seen you almost will see of times and topics in which you think that maybe your business your organization should do this and they say how about we do this instead uh uh and we'll go over a few of those you'll probably recognize a couple of them and then we'll talk about the heart of the

matter mitigating and compensating controls so a little bit about me you don't have to read all of this essentially I work in financial services uh as part of the ceso group uh in information assurance so I mostly deal with second line control testing of security applications and tools as well as handle the Cyber threat Intel program prior to that I spent 10 years in the Air Force where I was an F-15 jet engine mechanic for a bit before I transitioned over into cyber warfare there I worked as a tech lead for a red team and I also taught at the weapons school here at Nellis Air Force Space I have my bachelor's in computer science my SE

plus certification my special nerd topic that I really like to study is algorithmic uh Game Theory that's usually what I give presentations on so uh these kind of more soft skill topics are a little bit different for me um but I always bring Game Theory somewhere in there so you'll definitely see that here uh I also wrote an essay in the book 97 things every information security professional should know that came out last fall uh spoiler alert it's on research and if you can't tell I'm originally from Louisiana so before we get started I always like to explain to people if you don't already know the number one answer in cyber security is it depends this

presentation and the things that I go over it depends also applies there what I'm saying is not absolutely you should not do this and you must do this it's all going to be subjective it's all going to be particular to your industry to your experience so everything here take it purely from a I've seen these things out and about you may too maybe this will help you maybe it won't um and that's okay the whole point of this is to kind of create that discussion and if you absolutely disagree or absolutely agree agree with what I'm saying come see me and let's have a discussion I'd love to like argue and you know commensurate either

one always for my presentations I like to give a slide of why should I care why does this matter what is the importance here and if you haven't heard something along these lines before uh you probably will at some point or some derivative of um we don't have a problem with this why are we talking about this now we've never had a ransomware attack why should we do anything about ransomware you think that maybe you wouldn't like have those at some point you somebody will ask why why should we worry about this we've never been hit by that or maybe somebody says yeah we could Implement that tool but that's totally not going to work for our

environment these sound very negative they sound very oh I just don't want to do this security stuff but as we discuss there's a little bit more to it no doesn't just mean no there's always a little something extra there so some of the examples in which good doesn't always win now these are great things right multiactor authentication password policies these are things that we absolutely should have and there are different ways that you can Implement these kind of controls for MFA there is a lot of discussion about things like maybe text based MFA should you have SMS MFA a lot of people particularly now would be like absolutely not that is not great MFA maybe you want to do uh a

third-party app version and maybe that's what you present and then somebody goes no you know that that's a lot of work maybe that's a lot of money maybe that's something that doesn't really fit for our environment let's just do SMS MFA it's an example of it it kind of gets you there but maybe it's not what one would consider the best solution and that's kind of at the heart of what this talk is about password policies people argue organizations always differ on complexity length uh how often you should rotate your passwords I often like to ask people uh especially um maybe in mock interviews and such what is your stance on password policies and other other than you know yes we should

have them you know should you rotate passwords and a lot of times people are like absolutely like every 6 months or every whatever and then I'm like well that's interesting because in 2017 nist published a publication that said that you shouldn't rotate passwords so what do you think about that and that usually like raises some eyebrows because you know I mean that's been around for 2017 it's been around for a minute right but not rotating passwords still is not necessarily a common thing why would we maybe not want to rotate passwords maybe it's because if you're having to create new passwords every 6 weeks then your passwords inherently get weaker and weaker as you go along

because you're having to remember these passwords and you're you're not supposed to write them down or what have you so that's another example in which you have a password policy but maybe it's not a an extremely strong password policy and it's a classic example that cyber professionals Security Professionals sometimes um get a little discouraged by because it's not the best that we can do but it's the best that we can do right now tool rationalization here I put this in because I think that it's interesting something that we're seeing more and more lately is everybody wants to buy a bunch of tools and do a bunch of things but nobody's communicating amongst the teams and the

Departments who's buying what tools and for what purpose so you have a lot of dual tools out there that can do multiple things but the teams are siloed and they have their own budgets and so you have kind of tool bloat another example so understanding the it landscape typically what you see you know a lot of people are used to seeing a network map when you're talking about it landscape but I'm not necessarily talking about the technical landscape here I'm talking about the way that the department operates that's a little unsaid it's not in policies and procedures it's kind of like maybe the culture of the IT department understanding where security stands in that Enterprise is security

respected or is security just that team that you have to deal with because somebody said that we had to it's important to understand that landscape so that you can understand what your bargaining power is and what kind of environment you're walking into when it comes to promoting a certain security posture and maybe different ways in which you're going to be able to do that understanding budgetary constraints this is a big one if you walk in and you're like it's security it's important you need to spend x amount of money that's just not how it goes that's how we want it to go but that's not realistic of how it goes so you need to understand budget cycles and budget

restraints if it's already not maybe in a road map for this year then you have to understand and adjust to the fact that maybe you have to put that in the budget for next year and moving parts and dependencies it departments are can be very very complicated whole Enterprises with lots of maybe Legacy systems thirdparty applications there's can be a lot of complexity there it's not it's almost certainly not a certain a a simple Network because of that you have to understand how to Bob and weave and apply your security principles or promote your security posture knowing things like Legacy systems next is the human landscape here's my game theory reference so I love reading about um

selfish behavior not malicious selfish behavior but the fact that humans are just inherently selfish the prime example of this a game theory example is the brace Paradox and essentially what it is and this is a real simplification of the Paradox is you have two ways that you can go to work two different paths and everybody's used to their One path at some point maybe the Department of Transportation creates a short cut and it's going to reduce your time say by 15 minutes what used to be a 45 minute uh Drive is now a 30-minute Drive instead of thinking now everybody's going to want to take that shortcut you want you immediately take the shortcut and then

it takes you an hour to get to work because of the traffic jam because everybody took the shortcut you know you weren't thinking of second third third order effects you weren't thinking about what everybody else was doing you were just thinking this is a shortcut that's going to reduce my time by 15 minutes but everybody else was thinking the same thing so then it's not a shortcut at all so understanding that especially and we you can apply that to passwords as well do people is somebody going I am going to laugh in the face of the security professional and create a really simple password no they're like another I have to create another password password for

this application well let me just add an exclamation point at the end that's classic selfish behavior not understanding what those second third order effects are and also from a security perspective when it comes to uh trying to promote a security posture nobody wants to be strong armed everybody wants to feel like that they're part of a team that they're included in the process that they had some sort of say so that's also something really important to recognize the heart of the matter and I know I'm breezing through this this is a really short amount of time to talk about a really complicated subject but mitigating and compensating controls you often see this terminology uh in terms

of risk management it's not something that we really talk about from a technical perspective a lot in an IT department mitigating controls being your I would say normal day-to-day controls that are meant to reduce the chances of a threat being exploited your firewalls your antivirus um usually there's a whole list of diff of key and general controls that are applied to an environment to reduce risk the whole point of the controls is to reduce risk compensating controls is what happens when good doesn't always win it's those controls that you're applying when you can't apply the recommended security control so these are a couple of of examples from a uh YouTube presentation I put that link down there um I have the

management operational and Technical controls under the compensation controls but keep in mind that that also applies to mitigating controls as far as the type of controls management controls that can be policies and procedures um there's so there's the all the way from the technical and operative to some of the indirect ones like documentation one of the examples that I thought was really interesting here is the second one on segregation of Duties a lot of times segregation of Duties already has some sort of um management directive documentation control video surveillance I thought was an interesting way of H having that be a compensating control you already have a directive that you're going to have a separation of Duties so

then that video surveillance is that secondary control in which you can look at to make sure that the right things are happening it's it's it's not something that uh when I when I was doing research for this I thought that that was an interesting twist not many people would think about that as a compensating control uh and also uh MFA for each application maybe the weight of implementing that is too heavy so instead having General network access control with multiactor authentication is a way it's secondary it's slightly indirect but it still reduces the risk which is the important part all right that was super fast for me I'm sure it probably was for you too

in summary no is rarely simply a no there is tons of other things that we're probably not thinking about from a security perspective When someone tells us no we're not going to be able to have that tool we're not going to be able to implement that system that process it's not an IT department or senior leadership being obtuse there's probably reasons for that understanding the it landscape and the human landscape is going to help you understand why maybe they're saying no in this particular situation and if first you don't succeed try compensating [Music] controls and thank you everyone I appreciate it any questions for me or comments Cheers Cheers I'll take them all yes sir uh from those NOS do you generally

get like a negotiation of what can we try instead right if somebody says we don't want this control you go well what can we do right or is do they just come back with no and stop you from even investigating further rarely and maybe in the past um maybe earlier on in inform information security we might have gotten a no because especially from a non-tech perspective people would just be like oh that seems do we really need that you know um kind of question but nowadays I don't think that it's like that I think that security is generally everybody is more used to security being having a seat at the table now and typically they're not just

wanting you to spend money for the sake of spending money so I think a lot of times it's no I don't think that's possible and usually someone at that table's like well what about this um I I think generally everybody understands it's for the good of the business and the organization and so you do have um a a good team Dynamic there I think in most places thanks for that anyone else so when you let's let's say that you have you work in an environment where you're told that leadership is concerned and really I'm speaking for myself but that's the reason why your position exists but you feel that they're looking at the wrong things so they say that

they're concerned and they thank you for your contributions but let's say the metrics that they are interested in are in fact the wrong things there are so many of the things that you want them to be looking at because based upon the business it's higher risk whatever so how would you go about shifting that perspective for [Music] them that's a good question I think a lot of times it depends on who where that department is you know where that department sits in the business what that team is I think sometimes what you see is maybe that is a risk department and they're looking at the risk from a business perspective as a whole so where is this little security piece

fit in to the whole risk Enterprise um and I I talk a lot about speaking the same language as whoever is in the room and I always use risk as an example because I think that it's a a really great one because I think as um it professionals we're not used to explaining things in terms of risk and impact but in this situation being prepared to explain that in terms of business risk and impact is really where you're going to be able to uh get them to understand where their priorities lie and I talk sometimes business justifications are definitely a thing and it might be that you're absolutely told I get it yes it's important it's

not that important in the grand scheme of things and in those situations my whole thing is then we just need to document it if you're you're going to sign off on it especially as a senior leader or as an executive you know what I'm going to be okay with that because the business is covered as a whole I don't have to get what I want the important thing is that you understand my position on this and then whatever action you take we have it documented somewhere so if something does happen or an examination or an audit everyone is covered does that answer your question awesome thank you any more questions all right thank you Vanessa

great J thank you everyone for [Applause] coming