Professional Documents
Culture Documents
• We have between 25 and 45 mins to disseminate the info, so sit back grab a drink and off we go.
An admission:
• Up until yesterday afternoon I thought I was part of a panel doing this, didn’t have slides or anything
more than talking notes. Needless to say, I was a little surprised when I realized it would be me solo
waving my electronic arms around.
• And worked
• If I smell, sorry, you are on the other end of a computer, bear with me.
I’m going to simply assume that there’s lawyers on the call: I feel it is only fair to you give 10 seconds head start
and a wind advantage.
et al
Familiar?!?
Squirrel moment:
• READ Kubla Ross, pick your stage of grief based on your status in this mess, and them move forward!
• 5 stages of grief:
• Denial
• Anger
• Bargaining
• Depression
• Acceptance
• The biggest barrier to improvement efforts is the natural defensiveness of EVERYONE involved in breaches who
initially see the process and data as negative.
• The grief model gives an outline of the phases through which we must move to be ultimately successful.
Squirrel moment over:
So, how much did they get wrong?
• Arguable the two simple things that they got wrong were:
1. How they handled the breach once they were aware of the situation: Incident handling.
2. How they recovered from the breach once the initial WTF moment passed: Recovery.
• Incident handling:
• Detection, nope failed here multiple times, LE had to tell them (or find the data for sale on the open market.)
• Analysis, failed, when you do analysis and miss a billion accounts…something’s wrong.
• Containment, yea, nope moving swiftly along…
• Eradication, nope not in three attempts, and blaming state actors is never good unless you HAVE evidence
• Recovery (see below)
• Recovery:
• To improve and reduce or eliminate any reoccurrence of the incident… Nope, last count 3-4-5 breaches?
• To gain an understanding of the impact upon the business, yep IF we tell our users we’re screwed…
therefore “keep digging”?
• To provide clear and concise reporting to leadership…Yes, but no action?
Let’s not forget the elephant…
Bugger all…
BUT! All the data was encrypted…
• Doesn’t that count for something?
• NO! Not when the algorithm that was cracked before most Geeks were born!
• If my data in encrypted at rest am I secure?
• NO! Not when you use an algorithm that was flawed in 1996
• If my data is encrypted in motion am I secure?
• NO! Not when you use an algorithm that has FREE websites to crack it!
• Will I pass the audit if I am using encryption?
• YES! You will if the auditor doesn’t ask WHAT bloody encryption you use.
• STOP fooling the auditors AND yourself… Leave MD5 to die peacefully.
Seriously…how much did they get right?
• OK, the last slide wasn’t too fair, so let’s take a look and see what redeeming features we can find in this.
• Security Policy
• It had to be there in some form, but obviously NOT effective, so in practice both useless and dangerous.
• Organization of Information Security
• When the leadership team won’t pay attention OR action simple security solutions you have a toothless tiger.
• Asset Management
• All your source code (cookies remember) belongs to someone else? Yep, this one’s got some holes too.
• Communications and Operations Management
• Given “protection against malicious code” is in the middle of this… I’m afraid we can’t even give them this.
• Access Control
• Lets see, someone has been in your systems for years syphoning your data (close to 2 Billion with all tallies) so nope.
• Information Security Incident Management
• Detect and manage incidents… The ONE redeeming thing here is that eventually they came forward and admitted guilt.
• Compliance
• There’s probably a lawyer somewhere IN Yahoo who thinks they did the right thing by not fessing up about the breach, probably a
loophole in compliance that they used… To that lawyer…”may you live in interesting times.”
OK, so realistically where’s this going?
By 2020 there will be
somewhere between 26
and 30 billion devices
connected to the Internet.
• How many of you think that you are keeping pace with the attackers?
• How many of the attackers are holding onto your data and you don’t even know it?
• How many of you invest the same amount of money in those blinking lights as you do in your users?
• Social engineering is not a dying art…it’s alive, well and probably has eyes on your company.
• How many of you care more about the perception of a breach as opposed to guilt over losing MY data?
• It’s never good when you put the reputation of the company ahead of those trusting you to protect them.
• How many of you look outside your 4 walls, assess your vendors, partners, contractors, etc.?
• Given the plethora of attack vectors those afford us…someone needs to be paying attention!
I think Despair.com sums up the current feelings
Lets talk defense for a moment:
The goals of data security:
• Guard against open and legal collection efforts that can harm a
company.
• Static defense plays a role, I am not advocating throw out your firewalls or A/V, but I am advocating you
supplement it with something other than another damm blinky light that nobody watches.
• Get a solution that does the watching FOR you, preferably something that doesn’t stick out like a sore thumb
and itself becomes an attack vector!
• Simply put, waiting to invest in security is, arguably, these days a death sentence for the very organization you
have been employed or retained to protect.
• Oh, and when times are hard… PLEASE try to not cut security spending first, learn from Yahoo’s mistakes.
A sobering moment…
• You can’t stop us from getting in.
• Simple truth, and debatable for as long as you like, for every instance you give us of a technology that is “meant
to be a barrier” we will give you several ways past that illusionary roadblock.
• You put a firewall in place; we went past those in the 90’s and never looked back.
• You put IDS/IPS in place and we can bypass that.
• You use DLP, but you leave port 80 open for web traffic, or you don’t filter… we can exfiltrate anything.
• You have “deep packet inspection” but we’ve been bypassing that since 2012.
• You have patches…congratulations we have 0Days.
• You have Antivirus…congratulations it’s at best 3-7% effective and half the time is disabled.
• You have endpoint protection, but logs are local and nobody reviews them.
• You have SELM fully installed…and you have more alerts than a full team of minions can handle.
• You have IoT; we now have an entire landscape of attack vectors that are unmonitored.
• You have built in encryption, but the computer is ON which bypasses it.
• You WOULD have policies, procedures and controls IF you could all agree and not fight.
• YOU have to be successful 100% of the time; we only have to get lucky once.
A ray of sunshine…
• What you CAN do though is build a security architecture around restricting my movements.
• My landing point is simply that, somewhere to rest my feet while I survey my new domain.
• Once I’ve landed and set up camp I need to escalate and move around YOUR environment.
• I’ll make noise.
• I’ll be checking into files, folders, systems and anything I can find to give me that edge.
• I’m going to be rooting around all over your company…these days for an average of 190+ days before the alarm
goes off.
• Change that!
• Set a baseline for user and system behaviors.
• Understand your environments better than you do today!
• And trap me! I should not be able to walk into anything at will, you have the capability to deploy the electronic
equivalent of lures, breadcrumbs and deceptions that act like Alice’s Wonderland…
OK, so what else CAN we do?
• If you are sitting there thinking “hey, that’s a cool idea” or “what the heck IS he on about”…
• We should talk.
• Now.
• It’s probably too late, but heck at the very least you’ll hopefully have demonstrable losses less than Yahoo…
• It could be worse, you could have $1 Billion removed from your valuation like they did.
• You get the idea, get a baseline, get a plan and action the damm thing.
• Although IF you are really sitting there thinking it’s a cool idea, we probably need to get some sensors in place to see how BADLY you’ve
been p0wned.
• Come to RSA, we’re giving alcohol and a sensor to everyone in this demographic…
Add
Lessons from Yahoo: Metrics
• More informative metrics to define the effectiveness of security to the executives.
• Better definition of what the executive need to see to help them understand security…and why it’s important
• Exec: Don’t shoot the messenger
• IT: Don’t coddle the Exec.
• Exec: Pay attention to this shit please! Seriously for a change actually give a DAMM about the people you are
meant to be protecting. This is no longer a bloody risk vs. reward game.
• Maturity models: start to define one, start to understand where you are in it…and plan accordingly
• Effective communication between:
• Executive team (business agility)
• Operations (cost efficiency)
• Security (bulletproof systems)
• Rope in the business (they own the data NOT IT/IS/InfoSec)
• Rope in HR, legal, compliance, risk etc…make them part of the decision tree!
Lessons from Yahoo: Passwords
• Feel like I’m beating a dead horse….but it would be nice for once to NOT break into a company because
defaults or outright dumb passwords are being used.
• Would be nice to break into somewhere where biometrics or smartcards are in widespread use, or two factor
correctly deployed.
• The “cost” argument of deploying is BS… cost of remediation is 8x the cost of deployment; start fixing your
passwords (please)!
• User education, user awareness, user understanding AND executive buy-in…NOT on the exclusion list.
• QUIT MAKING IT EASY! NO DEFAULTS! NO “Passw0rd!”
• Pass-phrases, seriously use them!
• Different pass-phrases/words for different categories of risk
• ANY website that “only” allows 6-8 Characters with no specials (because the developers don’t know how to
make it work) Firebomb them…you KNOW who you are (automotive finance sites, retailers, etc.)
If you are on here you need to leave now...
• I have many different things I want to do with you and
none of them are repeatable in a public forum.
• Many involve hot pokers…
• Some involve ants and sand…
• You get the idea it’s not pretty.
• You KNOW better but are too lazy to comply and to
hold up YOUR end of the security bargain.
• You ARE a threat and will be the common point of
compromise.
Actually stay, you ARE my target & landing zone!
Lessons from Yahoo: Humans…
Thanks to threatgeek.com!
More thoughts:
• All your data belongs to:
• Samsung (your TV viewing habits, regular screenshots and ransomware)
• Google…yea pretty much anything you do
• Your car…welcome to the infotainment system, V2V and V2X
• Map Apps….who are working with the advertisers (and your car)
• Social media…that’s more your fault than anyone else!
• Your toaster…it’s connected to the smart-system in your house J
• Your coffee machine…IoT KNOWS you need coffee at 7am
• Etc.
• Welcome to the Internet of everything, all your data belongs to ????
We are more than just a number, a statistic, a line item on a
Cyber Liability insurance claim!
In closing:
• Per the opening statement…I’m locked away and it’s 4am..so bear with me:
• The Yahoo breach was a mess on many levels.
• The blame game can be played out in a number of different ways, it doesn’t change the facts that they got
their asses handed to them several times and were unforgivably remiss in notifying any of us.
• YOU might be next, so mock them carefully.
• Security is not a point solution, it’s a journey, a game of chess and a learning process AND we are playing catch
up. However you have to translate that to CEO/CFO speak DO it!
• Stop talking about how we can’t do things.
• Talk about how DO we solve these issues.
• We have to change our approach:
• Focus on who is interested in your data. (REAL threat intelligence, not the crappy stuff)
• Focus on where that data actually is. (This one’s a doozy, sorry!)
• Focus on you, your vendors, partners and 3rd parties.
• Focus on your people, remember training them is less than one blinky bloody firewall.
• Please look beyond the stagnant, static Maginot line style defenses that are failing you.
So Long And Thanks For All The Fish...
…Douglas Adams, you are missed.
• Hopefully this has been both insightful AND entertaining (and not death by PowerPoint)
• Hopefully some of this is useful, and you can download, print and beat people over the head with it!