BSidesMCR 2019: Nice Vulnerability, I Don't Care - James Carter

good afternoon everyone yes my phone is working did you enjoy your lunch yes somebody's already probably already asked you this but I hope you did right okay there's lots of people here that can tell you lots of really scary things about deep technical problems and things they found out and how to break things at a really complex way this is not that talk this is something different okay so Who am I I'm Jeff Carter i work as a cyber risk manager so grand sounding job title for a large international engineering consultancy i'd be working in tech for 25 plus years love ten of them in security exclusively and i pretty much every job you can do

an IT except for web design i start writing code for six 8:09 processors if anyone is that old in this room more importantly who are you who here identifies this blue what i mean by that is who the defender who works for IT team who tries to keep their organization safe hc' well 70 80 percent of you please just get it going excellent right ok this is what your life looks like here on open VMs general messes wall is 5 424 is the Allred if they always always read is it always ready every month does your life feel more like this yeah probably why is this why are you always basically doing the same thing why can't you get

any traction on changing that red to orange to yellow to green is it just organizational inertia is it just such a big organization it can't get changed is it nobody listens when you tell them about how bad stuff is you've been to all the technical talks here and you've learned all the technical stuff about really bad fun abilities and you've gotta say and said this bad stuff is happening and they've gone yeah right thanks and got on with it they just did it just not understand technology keep talking maybe by the minute absolutely round with us what are you basically stuck in the impresario chamber hmm are you actually talking the right language what by this I mean is as

security professionals we have a really specific language we use we talk about zero days we talk about vulnerabilities we talk about malware and other things that's incredibly important to how we do our jobs but that's not the language that our organizations speak so we're not talking

just to recap are we talking the dye language we actually not being understood by organizations which is not the right language what is what are the languages that are organized organizations is I work for a big private organization you don't all do that you'll work for public companies your work for local authorities you'll work for NGOs - what sorts of different organizations so forgive me if I use the language of the organization I work for and I'll talk about boards and things like that you'll just have to mentally translate how did your organisation what exercise whatever type it is make choices and prioritize what other teams are the groups within your organization organization do to make choices

prioritize and also internally what gets the right attention at the right level if you want to effect a change if you think there is something particularly bad that needs to be done who do you need to talk to to get that done how do you get their attention you very guess from my job title what my answers going to be we're going to talk about risk I'm going to talk about risk and risk has a technical language of its own so I'm going to talk to you about the technical language of a risk and we are going to talk about a few few of the technical terms and then we're going to look at the structure i've actually how you can

use risk to make your job easier and to communicate with your organization so fire who's seen this fire triangle that get fire you need fuel oxygen the heat seen this cool right take one away you get rid of the fire self-evident it's exactly the same as risk here is the risk triangle risk is made up of three things vulnerability of threat and I'll talk about a bit here this is not technical vulnerabilities although it might be it's any sort of vulnerability and we'll come on to what that is coming please have a seat exactly like fire you take one of those away you get rid of or you've modified the risk so far so good

excellent I'll take complete silence as a confirmation right so the three parts of a value what has value information has value I'm sad to say unless you happen to be very lucky work for tech company the thing that your organization values is information we mostly work for IT departments we are so focused on the team because it's cool it's what we do it's what we like to do it's what you love doing that we often forget about the I actually our organizations really only care about the I and I'm sorry to say without the I the T it's just expensive Tim and services and frankly I suspect our organizations would probably live without it if they could but they

can't because they need it so what makes information valuable lots of things sorry about the flaking on the slides thing is probably my machine but I'll play no young baby kid intellectually their information to lend intellectual property maybe which is valuable to your organization it actually attached a pounds value to the information maybe that information attracts regulatory or legal reasons GDP are a specific value to be for piece of information maybe it's nothing to do with pounds please set up safe and it's also reputation maybe it's a reputation many many other things to make information valuable okay the old-fashioned threat triad of information security confidentially and integrity availability think about these in terms of valuing your information and

don't forget the information sits on top of a system that system sits in a building all those things attract value and have the value that they inherit their value through information most of them have no inherent value in their own right okay threat to many words mr. character you may read that the slide I will not read it to you but it's easy threat this is the what this is what is going to happen okay so we've got value we've got threat the final piece is vulnerability again this is about weaknesses now this has weaknesses in systems obviously it is technical weaknesses vulnerabilities the ones all the ones you found with a tenable necess or OpenVMS all of those but it could

also be a weakness in design it could be weakness in process it can be a weakness in any way related to the system it could be a weakness in the entry systems the building that you can basically walk in you could have the most brilliant of cybersecurity but it's something you just walk into the building it's useless so vulnerability so we've talked about the technical language of risk in terms of value threat and vulnerability we put that together and interestingly that gives us a format for describing a risk what I mean by this here's quick example our threat is the loss of confidentiality the P part of a value is personal data held by HR

something gdpr something a foreign Europe and the vulnerability is that we have uncontrolled use of USB media so therefore really in a very short sentence we have described a risk so we've gone from uncontrolled use of use of USB media it's really really bad because bad things will happen to having a formatted description of the risk so far so good okay you've got someone's attention you've gone to talk to your management team who you want to do something who won't persuade to do them and you've got their attention you've shown them a risk statement the first thing they're going to say is how bad is it can you quantify the risk there are multiple ways of quantifying a risk

the simplest one it's like this mmm it feels quite risky to me it's okay it works it's just not the best there are many many good ways to calculating risk if your organisation already has a way of calculating risk use it if you can use it if you hook into it use it because they accept it already it's already used to calculate risks and make decisions if you've got a team through health and safety they certainly risk calculation methodology jump on the back of map use it adapt it steal it remember informational security is just health and safety for data nothing more nothing less you're gonna say why don't we just use CVS s and you can but CBS says is a

technical and B has nothing to say about your organization unless you redo the calculation for who balkanization is you need an also see Vanessa again right back into the echo chamber we're talking our language of the language of our organization a common vulnerability scoring system you'll find that vulnerability will have a CBS s score from zero not point one to ten ten beep oh my god the world's going to end and working its way down critical is above seven for example okay so if we are going to quantify risk there are many ways of doing it you can find lots of them I'm going to show you one I'm going to show you a simple one and it's

basically your risk the value of your risk is the impact of the risk multiplied by the likelihood of it happening and I'll show you how that works so let's to about impact first impact is based on the value of information plus all the supporting systems consider the loss of confidentiality integrity or availability impacts are not just financial so what I mean by this is let's have a look at a simple scale now this one's got three great load medium high the one the use for the organization I work for has five this one's got three so you've got some value you know I'm not going to read all of this but basically a low impact is you

know plus a lots of money a bit more money quite a lot of money reputation reputational impact especially with larger organizations publicly traded organizations reputation they care about value a lot but they care about reputation more you can always make more money okay you make a mistake it costs you better money your company you can make more money it's hard work you can do it if you lose your reputation you lose your ability to trade if you lose your ability to trade you can never make more money so reputations often much more valuable than that than just value and you might have a regulatory impact you might get increased supervision or you may get fines or criminal

proceedings there are many other types of impact you need to work out what this is for your organization this is specific to your organization there is not one size fits all if there was it would be easy okay likelihood what's the probability the risk occurring in has it happened before what have we done about it so far what's the maturity of our current implementation okay so example of that here is a simple three point scale of likelihood from low low probability may be less than 10% for example never happened before and you've got great controls through to high image is gonna happen maybe one out of two times have happened that's frequently all-time HR are always losing memory sticks

and we've got no control on your you must be media so you gotta there is your high highlight yard again this is specific to your organization again the OPA note this organization I work this place for ho scale is five points and if you understand I tell you cannot do from the interesting which you can take the ITIL scale of maturity and invert it therefore a high maturity control these has a low likelihood of occurring whereas a very immature control ad hoc or on existing control has a high likelihood for failing okay make sense so far silence of great excellent you all agree with me so how do we then calculate the risk what's art survive

said that risk quantify the risk is impact which we talked about the x likelihood which we talked about again this risk appetite is unique to your organization nobody else will have one just like yours and it defines how much risk you can afford to take and want to take so we use a simple heat map three by three five by five four by four whatever suits your organization whatever works a couple things you noticed one is it's asymmetric in this case it doesn't have to be you might have one that's perfectly symmetrical you might have the other down here that this organization has decided that no matter how unlikely is a how curry if you have a high risk we are going to

call that red so I've just use a simple red and green more yellow than amber red amber green metric for this you might give them names you might be the numbers you might have five seven twenty grades it's up to you one that works simpler is better and I can say your organization's already got one use it this one my example we have anything that red fix now anything that's yellow fixes him anything that's green accept it and that's new because if we come from the IT break fix world we'll use the idea we have to fix everything all the time there's no there's no because if you don't fix it you don't get to close a service ticket

ridiculous so the service desk ticket you fail your SLA exactly so but you don't have to fix it you can treat the risk this is what we used to do treating we take some action to mitigate the risk we can change something we can tolerate it we can accept the risk we can live with it now you might not be the person who is authorized to accept the risk but you could do the risk calculation and present an app to your management structure whatever flavor it is you might be the person to accept and they say they can accept it you should be very careful of accepting a risk which you are not authorized to accept there

is a technical term use call Luc ultra Vera's it means you are accepting risks which are not yours to accept and if you do that you end up being somehow response for libel make sure the right people understand you should be accepting the risk transferring a risk now this is interesting not me but many people come across this one this is basically making the risk somebody else's problem fantastic you can buy some insurance of all of a sudden your assurance company is taking the risk because they're going to take the financial hit it happens and you're just going to pay them some money or you're gonna practice for the risk by buying a service and making that service

responsible for the risk usually transferring a risk will involve you make paying some money for it or you can terminate risk you can just say you know what this is too risky we are going to stop doing it and you think about the risk triangle threat value vulnerability you might say this information no matter how we try to handle it is too risky too hot to handle we just don't don't want to be doing this anymore we're gonna stop which it's not going to do that anymore because it's actually the risk profile is wrong for us make sure you document and agree your decisions because especially if you accepted a risk and then something blows

up later at least you can have you can show the piece of art oh yeah well we did we looked at this and we accepted it not great you don't want to have the slope your shoulders you take the responsibility for what you do do but also say we advise you to treat the risk and you decide it was financially too expensive and as a management team you chose to accept it as long as you've document your work you're fine yeah yes there's a written or

technically ignore is taller also tolerate but if that's your organization doing that they are by Death tolerating it all you need to do is document that that's all they're doing you see now I reach this point now you've also come in through this door you've been taping out now over the next five minutes okay so using the risk you will now have a simple example of risk language this is the language your organization may already speak they will probably understand it understand it better than the language of zero-days and malware and other things to do with what we do and what we enjoy doing for our day job you have an ability to show them why

something is important and when it's important and also when it's not important but you also have going back to our it's all red even the stuff that's read on CBS on the OpenVMS tenable scan you can now look at that and say it might be read from a tunnel point of view because they found this vulnerability but this vulnerability is in the system sort of such low value there I'm gonna risk assess that and say it's a low risk and my risk weight tricks my appetite says I don't need to do anything about that I can accept that so are all the actions required to be done or nice vulnerability I don't care so just to recap got a couple minutes

left is the echo chamber really an ivory silo is it of our own making have we actually rather than of being the tabla misunderstood security people are we actually creating the problem part for ourselves by using language which is great for us and we have to have that language to do our jobs I'm not saying anything wrong with that language we also maybe not the language that our organization's speak risk is threat plus one berthsy plus value quantified risk is impact multiplied by likelihood protip by the way if your impact is greater than your value you've undervalued your asset you can never have and in fact greater than the value of your asset at the time an action aligned and agree

with your organization so we have a technical language for security but there's also technical language for risk we need as security professionals I believe to speak both if we are going to make headway with making cyber Co cyber security IT security whatever you want to call it relevant and have meaning in our organizations and that be taken seriously with other organizations so on that basis I'm gonna say thank you very much and are there any questions yeah absolutely would I think I say well 27001 'yes no matter whether the standard you want to layer on top of it I think ice 27001 is the best base standard because it's the most allistic and it's the least technical but it also

covers all the other domains like physical security HR security governance of security so yeah take ISO 27001 is absolutely best because if you then have a requirement to deploy Mis or PCI DSS or anything like that you can always lay that on top of the ISO 27001 and map those controls down into the asset right into the 114 if you've got you can do that within yet without regular values has the potential to anybody at risk tolerate ease to something though any longer so somebody being on fire gets to replace their or replaces over the less functional model because of cost saving and so we end up with a whole bunch of stuff that was tolerated that we now

have to emergency break lifts yep absolutely right and I have crammed what was a five-day 20 calls into 20 minutes so yes once you've done your risk assessment it's a living document you've got to come back to it you've got a set this is tolerated or this is accepted until this date and then we're reviewers received has changed so you're quite right there is a time cut component to that which I didn't mention so and also I'll be honest the I don't care actually I do care but it's a great title

you don't okay the bosses well then if they're not responsible for it who is it's their business they're the ones who ultimately will take the financial hit they're paying us as security professionals to tell them what's wrong if they're not prepared to listen to that well you can't do much about it maybe we just need to keep drip-feeding this into them the important thing about also and this is why I suggest you use the same risk model that other parts of your organization use it means if you go to your management team your executive board your supervisor whatever it is and say we've got a high risk they're going to say well you take and there's a high

risk on our organizational risk model they're going to set they should if we're lucky they take us seriously treat that as seriously as a high financial risk or a high health and safety risk because we're using the same model we're using the same scale of criteria if they're not listening to that I suggest you just have to keep saying it until they do you'll wait till the first thing goes wrong and then not suddenly gets a lot of attention but at least if you be talking about risk and even documenting your it's always good to start dress together

iris model for personal risk model for people leapings is so it was great across the board if you'd actually documented it I don't want to be in the position of saying to someone I told you so but there probably is a nice way of saying we did warn you you chose to ignore it this is what's now happened however this we still have all what we do that we suggested you do to fix it let's get out of the box and try it again you're never going to fix your organization it's not your job to fix your organization it's your job to be a good selves to go to professional any other questions your take into account

you need to balance her effort against the impact but again 20 minutes five days yeah you're gonna say this might be one of your reasons for tolerating risk you might say that the impact of this risk is 10,000 pounds the cost of fixing it is 500,000 pounds we're just gonna live with it but unless that highest baby maybe maybe it's fun 10,000 pounds financial but maybe the reputational damage will be enormous if you can get that message across to your budget holders you know sometimes you are the budget holders sometimes do all the people who make the best decisions so your depresses [Music] starting around any one of the depends on the challenges a lot of companies

will face is discovery of what they have already yes there's an easy way there is an easy way of doing that that's scale of impact I gave you take that scale of impact and say to them identify your data sets and do it in big globs if you can don't do it in on individual files and say to them would be the true value on this scale low medium high want to find whatever it is of the loss of confidentiality of the loss of integrity of the loss of availability that gives you a model for assigning value which you can then plug into that formula you financials on them

[Music] they by not being wasteful right they might not you can lose all this business but maybe lose the ability to do business is the thing that they'll they will they will value I would move time

[Applause]