Security Hygiene: Focusing on What Matters Most

Author:Jeff Propes
Date:June 11, 2016

Follow along with me at http://self2016.grimoi.re/security_hygiene/

Overview

Standard Security Models

Why These Models Suck^WNeed Improvement

Hygienic Security Defined

Axioms of Computer Security

Things Not Covered

What we won't discuss with our limited time today:

The Typical Security Model

Security practices typically follow a well-defined model of risk assessment [1] [2]:

Terms

Threat - A potential harmful occurrence

Vulnerability - A weakness that allows a threat to cause harm

Risk - The quantifiable value of a threat to a vulnerability

Scope - Selection criteria to determine relevance

Resources - Money, time, attention, talent

A Worse Security Model

When security vendors come calling:

A Worse Security Model - Analysis

What changed from the original model?

Even Worse

The untrained (newbies) can fall into a purely reactionary pattern:

These Models All Suck

These risk analysis-based models have serious flaws:

Implementation Details

It's too easy to become captivated by the details of one particular threat. Example: SSL certificates

Compromises Still Happen

"Some organizations have the enviable position of ample information security funding, yet they are often compromised. Why?"

We Can Do Better

The standard models require large amounts of resources and an economics-like process for allocating them. If you don't have large amounts of resources or a degree in economics, then what are you to do?

Holistic approached based on an analogy to hygiene and the human body.

Defining Hygiene

"Hygiene refers to conditions and practices that help to maintain health and prevent the spread of diseases." [4]

Defining Hygiene cont.

Hygienic security practices are not so rigorous as the standard security model.

High quality guidelines that can be bent or neglected on occasion

If we treated our health like the risk assessment model, we'd never leave the house

Avoid taking things too far: e.g. Anti-Vaxxers, germophobes, FoodBabe, etc

Examples of Hygienic Security Practices

Hygienic Security Crossover

Hygienic security practices look a LOT like best practices from other systems disciplines:

Axioms

The security analogy to hygiene is insufficient on its own as it lacks adequate context

The following slides are a personal collection of axioms regarding computer security

They are largely born of my observations over the past 15 years

Note: also partially inspired by Rich Mogull's guiding security principles [5]

Axiom #1 - Red Team

Axiom #1: Think like a red teamer.

Axiom #2 - Users

Axiom #2: Users are lazy. They are also unfixable.

Axiom #3 - Attack Surface

Axiom #3 Minimize your attack surface.

Axiom #4 - Defense in Depth

Axiom #4: Defense in depth.

Axiom #5 - Trust

Axiom #5: Be stingy with trust.

Axiom #6 - KISS

Axiom #6: Simple things are easier to protect than complex things.

Axiom #7 - Breaches

Axiom #7: You will be breached. Plan accordingly.

Physical Security

Show of hands: How many of you have hard drives or jump drives sitting on your desk at work right now?

Social Engineering

Corollary of axiom #2: because users are lazy, they can be taken advantage of by an attacker who's prepared

Conclusion

Security is not easy to do well and common approaches take a LOT of RESOURCES and TIME

With a hygiene-based approach, one can quickly sift the workload into what's important and what's less so

Apply security axioms with great prejudice (especially percussive maintenance)

Fin

Thanks for coming!

This presentation can be found permanently at http://self2016.grimoi.re/security_hygiene/

Citations

[1]Conrad, Eric, Seth Misenar, and Joshua Feldman. "Risk Analysis." CISSP Study Guide. 3rd ed. Burlington, MA: Syngress/Elsevier, 2010. 58-59. Print.
[2]Bayne, James. An Overview of Threat and Risk Assessment. SANS Institute, 2002. Web. 1 June 2016. <https://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76>.
[3]Conrad, Misenar, Feldman. "Budget and Metrics." CISSP Study Guide, 64
[4]"Hygiene." Health Topics. World Health Organization, n.d. Web. 09 June 2016. <http://www.who.int/topics/hygiene/en/>.
[5]Mogull, Rich. "My Personal Guiding Security Principles." Securosis Blog. N.p., 30 Dec. 2009. Web. 06 June 2016. <https://securosis.com/blog/my-personal-security-guiding-principles/>.
[6]Northcutt, Stephen. "The Attack Surface Problem." Security Laboratory: Defense In Depth Series. SANS Institute, 7 Jan. 2011. Web. 09 June 2016. <http://www.sans.edu/research/security-laboratory/article/did-attack-surface>.
[7]Propes, Jeff. "So You Were Breached. What Now?" SELF 2016 Presentations. Grimoi.re, 10 June 2016. Web. 10 June 2016. <http://self2016.grimoi.re/incidence_response/>.
[8]Nickerson, Chris, and Ryan Jones. "37: Social Security Engineer." Exotic Liability. Podcast Chart, 5 Aug. 2015. Web. 09 June 2016. <http://www.podcastchart.com/podcasts/exotic-liability-bd0954d2-a1a9-43b6-9122-ef7561ee5ea8/episodes/37-social-security-engineer>.