Fundamental Flaws in Security Thinking

hey now it's on hello and welcome to the network security pod oh sorry wrong intro so I'm Martin McKay I'm Akamai security evangelist recovering qsa I spent four years between Trustwave and Verizon as a qsa saw several hundred different corporations and and a lot of what you're gonna hear today is my view on some of the problems with security based on those observations I saw a lot of people doing their best job and just not quite being able to do it and it's not because people are bad it's because we have some in my opinion fundamental flaws in the way we look at security the way we think about security which leads to flaws and how we do security I'm a

Twitter troublemaker I'm on Twitter all the time many of you know that as you saw from the intro also security blogger and podcast or and having a lot of fun doing it I'm also an unreasonable man if you if you know the quote you'll you'll understand what I mean but I'll go into that a little bit later so the agenda today is to talk about the journey of a qsa from bright-eyed and bushy-tailed and and just out of qsa training to burnt-out depressed and really having a different viewpoint of what security is at that point we'll talk about some of the flaw or I'll talk about some of the flawed assumptions I think we're making and then I'll talk a

little bit about what can we do to change things oh I'm sorry for those of you who haven't had to deal with PCI payment card industry data security standards a qsa is a qualified security Assessor basically qualified is in quotes you can put in quotes to become a qsa you go and you tell you have to supposedly have some experience you have to have either a degree or some other sort of certification like a cissp and you go and take about a week's worth of training on how to read the PCI requirements sometimes it feels like your brain got sucked out through your ears put back in wrong and then you are sent out into the field to take all of

these rules somebody spent a week explaining to you and try and apply them to one of the most disparate environments you can find when you're looking at how merchants take credit cards it depends become Zach USA's favorite word's how do can we do X Y & Z in the cloud and still be PCI compliant it depends well this is how so and so do it did it if we do it exactly the same way will we be PCI compliant it depends the problem is is at that point everybody does something differently and until the qsa comes in and actually reviews every single thing and then goes back and reviews what they've made the choices they've made before reviews what

other people have said and still makes mistakes you don't know if you're going to be PCI compliant with anything you do it's not a very good job to have because a lot of people come to you with very interesting choices on how they're doing their environment and they want you to tell them that yes they're okay at the on the other hand if they're not secure if you call them on it they get very upset with you when you say well your firewall has not actually been audited in two years and therefore I can't pass you on your PCI assessment and they don't understand how the rules work so being a qsa got me the chance though to

see over the four years probably a hundred different companies look at their networks look at how they do security and see a lot of the same things happening over and over again so my thought on our fundamental flaws is not how do we do the technology it's not what technology is we're using it really does come down to how are we we fundamentally thinking about security are we asking the right questions I think that that is actually one of the biggest problems we have is as security professionals we know what we have been taught we know what some other people have said but there really hasn't been enough time for us as a a community come

up with a lot of the right questions to even come up with the right answers we're right next to a little event that has a buzzword every year last year was apt I think this year it's it's mobile security and we we spend our time fighting the fight of the day not fighting the fight of the year or the the decade we just we are trying to put out too many fires and we're making it up as we go along we really are as much as we have some very smart people we have some very good people we're mostly making it up as we go along and just trying to figure out what works and the

reality is as things change too quick for us to actually stay up-to-date with anything so let's get into a little bit of the history of computer security in my way of thinking the career of IT security really started in 1988 and you guys remember this movie I remember this because this was filmed about a block from where I was working and a couple of miles from home and it was it was horrible the film itself not the filming anybody recognize who this is the Morris worm this is the guy who wrote the Morris worm which caused the start of the first u.s. search the Morris worm of the u.s. search okay this really is where I and this is

something that people will argue with me and I have had many arguments about is this is where I think that security as a career really started is when that first u.s. cert was created that was the first time security went from being one or two people's passion and something that they did to a career path this is when it became something that you could say I'm a security expert my job is security and these are the guys who really got started maybe there's a lot of companies that had security teams before that but they were few and far between it was something you got into because it was a passion it wasn't really something you

could get into by saying I want to go to college and get a degree and start in security these guys made a change it also helped this guy decide to make tripwire gene Kim actually I was hoping to harass him but he's not here it this is really like I said where I think security went from being a few people in high positions being very passionate about what they do and very passionate about their the career into a real cooler anybody could get into so the problem I think as I said earlier is we are all firefighters with few exceptions in security we're dealing with emergency situations we're dealing with a situation that comes up at the last

minute we're dealing with putting out other people's fires that's that's actually one of the biggest problems we have is putting out other people's fires but unlike firefighters we don't have a lot of success stories we don't have a lot of this is where my job ended and I did something good and that's slowly changing but that's really one of the other problems so I'm sorry about that dogma it's it's a hard word to use but really we've based almost everything that we're doing in security on somebody else's thinking from the very start that's that's how people evolved that's how people change but a lot of this I know is when I was a insecurity and just starting off

it's very like the PCI Assessor where all you have to go on is books written by folks like Bruce Schneier folks like Adam over here and you have other people's thinking to base your work on but the problem is is everybody else is making it up just as much as we are and so many of the people who are coming up in security are just basing what they do what they think on those previous conversations on other people's thinking when you look at a firewall we all know firewalls don't work we all know that they they are not capable of stopping too many of today's threats but because that's what people have been doing since

they were invented as putting firewalls in place we keep doing it we keep having that that filter there even though we know it doesn't work we do that in so many aspects of computer security that we're we're just doing it because it's what somebody else did we're doing it it's because it's what we know we won't we won't get fired for it's like buying IBM used to be if you put a firewall in place then they know at least that you've done some of what you have to do and therefore you're doing your job but with the environment changing so fast with technologies changing so fast with the aspects of our attackers changing so fast we can't we can't afford to rely on

dog but to rely on other people's thinking we have to be forging ahead security is not a a mature industry that we have the capability of actually relying on what other people have done before us actually working anymore and that's one of the big problems is relying on other people's thinking wyndi neighbors likes to call security a teenager where she thinks we're a pimply-faced teenager that's that's going out into the world but I actually think we're not even that far along when you look at any other industry as I said if we count from 1988 on we're only a 25 year old industry and not even quite that yet when you look at what we're doing versus say something

like the automobile industry was doing it 25 years we have had so much more of an impact on the world than cars had at the same time with about the same amount of research and and what's the word I'm looking for but with about the same amount of time to actually figure out what we're doing we're just a fledgling industry and people forget that a lot we're new we're figuring it out as we go and that is our fundamental flaw number one is just that we think we're more mature industry we're not we're an industry that is just barely stood on our feet at this point and I think that quite frankly we need to stop pretending

that that what we do is science at this point because until we've gotten a lot more information and a lot more time we're not going to be mature so the next problem is that along with being firefighters security is mom-and-pop for a lot of corporations they make decisions that they have to go out and do things and quite frankly we're just told whatever we want to do as a business you have to just support that's that actually makes sense because they're the ones who pay the bills but when it comes down to it we can say as much as we want in many cases and again this is back to two qsa Phil not everybody but companies just say go do

this make it happen and we have to comply it's dangerous because for us we really want to do that we really want to make the business succeed but we don't always have the power to be that break-in and make it so the companies aren't being doing insecure things or doing dangerous things we don't have always the ability to tell them to go put on their helmet and and pads before they go out and do something and a lot of times even when we do we get ignored we have sometimes when you're in security it really the right thing to do is just accept the risk and we do a lot of that but again a risk is not

something that we have historical data on one of the things that I did long ago and far away was I was a securities and life insurance licensed professional and when you when your insurance you have actuarial tables you have data that in some cases go back goes back hundreds of years to say what behaviors will lead to what amount of risk in security we don't have that we don't know what the risks are and even when we do know what they are they're changing so quickly Sony is a great example of that the company as a whole kept saying yeah we know you security guys keep telling us they're probably there are problems but we're gonna

accept the risk we're going to move on this isn't gonna happen to us and how many breaches I think it was 23 breaches that Sony had based on the anonymous attacks and some of the other attacks 23 different business units that actually got compromised oh no I don't think it was the first time at all I think that those are just the 23 that that we have been told about I would probably say that there's probably another 23 of them or more since then and that we haven't been told about and you don't know how long-term any of the the breaches before/after have been so

I think okay to get off on that tension for a moment I think it's like many things that Anonymous does there were compromises in place and data taken long before they announced it or anybody announced it there was a lot of the breaches probably the first five breaches had happened long before anybody acknowledged them and announced it and the other 18 were probably just attacks of opportunity that other people did afterwards so does that answer your question and do you think I'm right

right but with with something like that the similar wouldn't have probably been even looked at because they didn't have the personnel I don't know if you're aware of it but about a month I think before the major breach they actually fired or laid off a large number of their security team for the main for the corporate portion of Sony and that was actually I think instrumental and one of the at least one of the lawsuits against them so I don't think they would have had the people anyways resources is not one of the fundamental flaws it actually comes from the fundamental flaws we don't necessarily know what we're doing so we can't always express it to

business leaders to get the funding we need so the thing is how many guys recognize these characters Alex Hutton is a great guy and with great Baker with the Verizon business folks with the data breach investigation report Alex Hutton in though actually came to be one of the first or that report actually became one of the first steps that we've taken along the way of actually getting some actionable statistics it means that we can actually now start placing some more realistic risk measurements than we've ever had before but when you look at the data breach investigation report it's only targeting a super small set of businesses and systems that we know were compromised and doesn't really explain

what's happening on a wider scale but that is still the height of the of the data we have at this point the group's sorry the other guy Josh Corman is also my boss by the way when I was still a qsa one of the things that he did was started pointing out to me PCI and some of the issues with PCI which is that it's not good practices it's not best practices it's fairly minimal product at that and when PCI first came out you could use it as a lever to get to get money in to get resources but more and more what we're finding is a businesses don't just don't care they were they

whitewash the the qsa they whitewash the process make it so that the accounting and other firms sign off even though there are vulnerabilities even though that they know that there are problems it's not working it's it's when you look at something like that it just isn't gonna work long term and so that's why Josh actually pointed out to me a lot of ways that PCI compliance isn't going to work policy well important isn't going to work it really is going to be us thinking about it sorry that what that leads me to is that we're responsible for everything and we think we're responsible for everything we act like we're responsible for everything in a lot of cases that's not true we've taken

that risk on we've taken that information on we are not responsible for everything we are responsible for doing what we can to advise businesses we're responsible for getting more information but really when it comes down to it that risk equation is a business decision and not necessarily one that we are the best people to make and that's that's a hard one I don't know if there is a cure for that because we do have a feel of responsibility we should have a feeling responsibility for what's happening as I was saying just a minute ago we really don't have a lot of evidence the Verizon data breach investigation report is the height of our evidence when you're looking at the

first one in 2008 or 2009 I think I think they had less than 100 breaches when this one was done they added added in some of the I think as Sweden the Swedish police force work they've added in some f.b.eye but that's still less than 500 cases all told in this as I said earlier is the height of our evidence so how are we going to have scientific understanding of what we do how are we going to have some sort of evidence to prove that what we're doing works or doesn't work when we don't just don't have the sharing we don't have the ability to do it quite frankly even when we're looking at something smaller like

a personal network like I'm not sorry not a personal like a corporate network we don't know what's going on I mean how many of you have ever sat down across a table to start talking to one of your teams about a project they're working on you've been working in the security department for a couple of years you've been in the company for a couple of years and all of a sudden that team says oh by the way we have this other network over here I can't I can't count the number of times as a qsa where I started to sit down with people and the security team the audit team would say oh yeah we've got everything straightened away

and then we'd start being bringing in the business owners and they would actually say oh by the way here's this other data stream you didn't know about I think the funniest example of that that I actually saw was that I sat i sat down for the team on Monday I'm walking through everything with them I'm talking through everything with them and there's this one little lady sitting in the back room I'm in back of the room just kind of smiling as the day goes by nothing really big happening she's just quiet so a couple days of this goes by and on the third day I think everybody's talking it's like oK we've been through all of the data

streams we know where all the data is I think we're done and the little lady in the back of the room kind of holds up her hand and says well you forgot about the rolodex on my desk that has every client credit card number on it she'd actually literally four years the way the business worked was that yes there's all this great information in the database but she actually did most of the entry most of the credit card taking and using from her desk on that rolodex and they had a whole whole stream of data they just didn't even know existed the other thing is that even then we do have the data a lot of

time we ignore it we were just talking about it ago about the Sony breach how many lines of logs do these people get a day Sony's not a small company when we look at any of the sim or other log vendors we really look at something is trying to build intelligence into it but there's not a lot of intelligence into any of it yet it relies on a human being the problem is is we as human beings fundamentally get bored when we see the same logs flowing by over and over again it's very easy to get desensitized but how do you how do you balance that desensitizing for a person versus machine intelligence which may or may

not have any have any real intelligence behind it the even the best of the Sims out there don't have a way of actually tying together the information in a way that a human being can they're getting better but I think we're still five to ten years away from where the correlation engines actually can can match what a reasonable human can beat can do and we're probably 10 years to 20 years away from matching what a good expert can do with with correlation that may be something that somebody else has the has more information on and so instead of actually getting intelligence from logs most of what we do in a lot of companies is just log it say somebody actually

reviews it and then walk away I can I can remember a number of times of sitting down with people to start talking about log review as a qsa it's one of the requirements you've got to do it everybody says they have so many reviewing logs but then you actually get there in front of them and like oh yeah I don't remember how to use the tool or I've got to go back and find the password it's in my drawer we and those are extreme cases obviously but so often we have the data sources we just don't necessarily use them so we've got the three triads we've got was CIA we've got respond prevent and detect

we've got recognized resist react these are great methods of kind of organizing your thoughts but none of them really tell us what to do they they they give us a way of what we're thinking about my favorite actually is the resistor recognized resistant react because it really does capture what we're supposed to be doing as a professional yeah

I don't remember where I got it oh it's a deep boy okay I buy the way I suck at PowerPoint so this is but the reason why I like recognized resistant react is because that really falls into one of our fundamental flaws we don't necessarily have all the feedback nets and mechanisms in place to do that we don't do it well and that leads to the flawed assumption number three which is I can keep my company's secure there's been a lot of blog posts about it but we in some ways we're losing the battle we are going to lose the battle because we only have we have to be right every time the bad guys only have to be right once

that which means we are going to lose we don't necessarily build our networks we don't necessarily build our systems in such a way that they're going to be resilient we don't in a lot of cases build it such a way that if there is a compromise it's going to let us know and again there are companies out there that are exceptions but when I'm looking at the merchants fear this really has been one of the biggest problems is people not learning how to respond and react

yeah I can manage my risk it probably should but what we as a group look at is is we call it security and so forth we that's what we think we want to do and really in a lot of cases I think you're right we're actually just identifying risk and managing as best we can and letting the companies make the decision

[Music]

another part of this is that if you look at an allegory for our security of physical security they don't say they're secure except in a few cases they they say that they've got these measures in place and they talk about the risk and if you talk out to somebody who's really deep into physical security they're gonna say a lot of what you just said that we're not secure we're not going to be secure but we're secure enough for our purposes right and we don't have that nighti I mean some companies do I'm not going to say nobody has it but majority of people don't

yeah but it's what most of us think we're supposed to be doing and it's what most companies think we're supposed to be doing they think that we can wave magic wand and make it so that they're never compromised and we do we don't necessarily do a great job of explaining to management what that really means and on the other hand we don't always understand it either I think that you've got a good point do all three of you've got a good point that the difference between security and managing risk is mostly in your head and we don't do a good job of separating the two No

I think we talk about it all the time and I'm luckily it's it's in such a case that it's where this is what works in my environment but your environment even though you may use most of the same equipment is gonna be different therefore it doesn't work in yours so you really

is that been working for you because for Allah a lot of Pitt places I've seen what date is important to you all of it

I think that we are this actually is probably of the assumptions I think this is the one we're actually closest to having some headway on I think that there are more people like you out there and all the time but I think that in a lot of cases and a lot of companies they're still just struggling with getting the message of what security is and understanding what that message is so my fundamental flaws were we're a mature industry we are not we we really have a long ways to go we think we're responsible for everything and then luckily that one's a problem because not only do we think it many of our our corporate overlords think that we're

responsible for everything as well that they can do whatever they want and not have to have to deal with a risk that we'll just take care of it for them that one scares me and then we think that we can keep our companies really secure so what should we do challenge everything that you've been taught we know that things are changing we keep talking about every year but there are fundamentals underneath it that aren't changing we need to re-examine those quite closely and understand whether or not that still applies whether or not the rules still apply they're changing every day and the people who who taught us these rules who came before us we're making it up just as much as we were we

have to get to a place where we're going from a bunch of ideas that were made up on the fly because we were fighting a fire to actually going back and reexamining much of what we do and whether or not it's really effective we need to figure out if we can get statistics to figure out what's working or what's not we find out the hard way what's not working but we don't have a lot of evidence about what is this goes back to your point of we have to understand the businesses better I know that this is when we talk about a lot but we have to get better at communicating we have to communicate at

risk up the chain and we have to get better at listening to what actually makes the business money to me people want to have security for Security's sake without understanding what that effect will have on the business and the last thing is we need to make sure that we know we're going to fail that we can fail in such a way that it's not not going to be catastrophic and that it's not going to be something that ends the business or our career like I say here detect and respond instead of just having the static controls

and if you go over next door and you could think of any problem and go to a vendor and I'm willing to bet almost every single vendor out there will say oh well here's how we can solve your problem not ever saying oh we don't deal with that problem maybe you should go elsewhere and here's somebody who can help you

but your @b sites so that shows that you're above average in that well no I'm not mean I mean that in that would you're above average you're actually somebody who is investing in their career enough to actually think about this outside of the eight to five hours and a lot of the people you're talking about are the eight to fivers the people who are that are in it because security is a career that they looked easy from the outside look like it paid very well and so they moved into it I used to work for a state agency here in California half of their IT and security department was based on having contractors come in

because everybody who worked for the state went it gravitated to security and IT because it paid best and most of them had problems are not most of them many of them had problems turning on their computer in the morning and so they had to have almost literally a second person for every employee that actually did the job that's a little bit of a exaggeration but it's not by much and a lot of companies we have that sort of personality and he adds that the fact that we've got a almost a negative unemployment rate and security and so anybody who can say I do security is getting hired that's not a fundamental flaw in security thinking that's just a

fundamental flaw in the world

but that's the that's that's actually one of the fundamental cause is that people think that there is a hundred percent work it's never gonna be a hundred percent I mean even if you great an example of that is if you look at spam filters we probably have more information on spam and we have on it almost anything in security and still even the best spam filters are 95 to 99 maybe even 99.5 or 9% but that's still when you're talking about 70 to 80 or 90% of the Internet's email being spam why can't we do better why can't we handle that better it's just it's a problem so what else establish a measurement success this is actually one of the

things that we are worst at and that gets us in trouble with our companies and it's depressing and I don't know if any of you were in the stress panel on Monday but we are constantly fighting the good fight without a measure of saying hey I won today it's it's a right now and for most of us it's a binary either I was compromised today or I wasn't and even when we say I wasn't a lot of times we're saying well I don't think I was compromised but I'm not absolutely sure so how do we establish that we have to get more metrics we have to get more information we have to be able to say for certain are we making in

that 90 percent of the risco way or are we just putting a bandaid on the wound and hoping that that we caught everything and then finally the last thing is just being reasonable question the assumptions George Bernard Shaw the reasonable man adapts himself to the world the unreasonable man unreasonable one persists in trying to adapt the world to himself therefore all progress depends on the unreasonable man be unreasonable question your assumptions question what people are telling you question whether you're doing it the right way or not we have and being the guy up here speaking we have huge egos and I'm one of them I gonna tell you I don't know if these are really the

biggest problems I think that these are some of the fundamental problems but I hope by having the conversation with folks we can start looking at some of this and changing the way we think about security changing the assumptions that we make about what we do and learn to make a better more secure more less risky internet and world and corporation so that's it any questions comments or you guys can go and get a break thank you very much [Applause]