Security AwarenessLost between Chains and Walls

Everything we hear is an opinion, not a fact. Everything we see is perspective, not the truth.

“”– Marcus Aurelis

The Weakest Link in Information Security…

mostly People…?

The Weakest link…

•A popular Metaphor/Figure of Speech in Information Security.•Metaphors influence our thinking. They simplify the complex. They persuade by creating a vivid picture in our mind.•They by-pass our rationality and make us more accepting, less skeptic.

The Weakest link…

•The chain secures our asset and is held together by links.

•We achieve security by mitigating risks through implementation of treatment plans or simply “controls”.

ChainIf one link fails, the chain breaks.

SecurityIf one control fails, our security breaks down.

Chain Wallsvs.

ResilienceThe failure of one control should not lead to the total collapse of our security.A resilient security architecture is build upon defense in depth or zero-trust models.

Incidents: From Start to End

Every breach has to start somewhere.

Not every start leads to a successful breach.Threat Events are not Loss Events.

The path to a successful breach is paved by a series of mistakes.

ThirdPartyRemoteAccessManagement!! Network

Segmentation

! EventManagement

! SystemHardening

! EndpointProtection

!BehaviourAnomalyDetection

! DLP! VulnerabilityManagement

STUXNET• Exploitingfourzero-dayflaws.• Signedwithstolencertificate.• WinCCdefaulthard-codedpasswordnotreset.Leakedyearsbefore(at

leastsince2008).• InfectionviaUSB (NoDeviceControl)• Enteredthroughhackedsuppliersorinterceptedcontrolsystemsinthe

supplychain.• Propagatesthroughthenetwork.(NoNetworkSegmentation)• Attemptstoaccesstheinternetanddownloadanupdate(NoEgress

Monitoring).• NoIntegrityChecks.

HowComplexSystemsFail[RichardI.Cook,MD.CognitiveTechnologiesLaboratory,UniversityofChicago”,http://goo.gl/7Q3LOj]

• “Catastropherequiresmultiplefailures– singlepointfailuresarenotenough..”• “Overtcatastrophicfailureoccurswhensmall,apparentlyinnocuousfailuresjointocreateopportunity forasystemicaccident.Eachofthesesmallfailuresisnecessarytocausecatastrophebutonlythecombinationissufficienttopermitfailure.“

• “Post-accidentattributionaccidenttoa‘rootcause’isfundamentallywrong.”• “Becauseovertfailurerequiresmultiplefaults,thereisnoisolated‘cause’ofanaccident.Therearemultiplecontributorstoaccidents.Eachoftheseisnecessaryinsufficientinitselftocreateanaccident.Onlyjointlyarethesecausessufficienttocreateanaccident.Indeed,itisthelinkingofthesecausestogetherthatcreatesthecircumstancesrequiredfortheaccident.Thus,noisolationofthe‘rootcause’ofanaccidentispossible.Theevaluationsbasedonsuchreasoningas‘rootcause’donotreflectatechnicalunderstandingofthenatureoffailurebutratherthesocial,culturalneedtoblame specific,localizedforcesoreventsforoutcomes.”

Tosummarize

1. Securityisnottypicallybuiltonsinglepointoffailure.

2. Ittakesmorethanbreakingasingle“Link”/Controltoresultinasignificantincident.

3. Thereisnointuitivescalewithwhichtomeasuretheweaknessofonetypeof“link”againstanother.

Allofthisissimplebut ifwearenotconsciouslyawareofit,wemakethewrongdecisions.

KEEPCALMAND

STAYRATIONAL

Sticking with Metaphors

Hackers will go after “the lowest hanging fruits”

Hackers will take “the path of least resistance”

Assumingthat“TheweakestlinkinInformationSecurityis

People” leadsustoInformationSecurityAwareness.

IbelievethatSecurityAwareness

canbe...

HighExpectationsandExaggerations“MakeyourWeakestLinkyourStrongestAsset…”

MetricsWhatnotwhy…CausalityandCorrelation

• Addinginsulttoinjury:“WeakestLink”,“Thinkbeforeyouclick”,“Don’ttakethatbait”

• “SecurityisEveryone’sresponsibility”isthewrongmessage.• Bettertosay:“Everyonehassomesecurityresponsibilities”

Motivation,Incentives,BehavioralScience,OrganizationDevelopment,ChangeManagement,LearningTheories,Gamification…

andevenPsychology

Beforeweaskotherswhattodo(ornottodo),weneedtomakesurewehavedoneourpart.

Phishing

Takinganaction• DiscloseUsername/Password,ConfidentialInformation• Issuepayment..(BEC)• others

RunningMalware

Trickpeopleinto…

Malware

Don’tOpenSuspiciousAttachments

IsourendpointsecuritystillbuiltonAntivirus?Usenext-generationendpointprotection:Sandboxing,ApplicationWhitelisting,EDR,ApplicationIsolation,MachineLearning,BehaviorAnalysis…Howeffectiveisyourattachmentscreeningsolution?Blockunnecessaryattachments,markexternalemail,blockinbounddomainemail…

Message Control

Don’tClickonsuspiciouslinks.

Malware

UpdateYourOSandAppsregularly.

Inacompanythat’stypicallyfullymanagedbySystemsEngineersandnothingisexpectedbyenduser.Explainyourparticularimplementation.Getunderstandingwhyusersgetpopupstoreboottoapplypatches.…againwithaneffectiveEndpointsolutionconcernsaresignificantlyreduced.

Message Control

Malware

Don’tuseunknownUSBsticksandCDs.

DeviceManagementLimitUSBaccessonlytowhatisreallyrequired.Remove/DisconnectCDDrives.…againwithaneffectiveEndpointsolutionUSB/CDtroublesaresignificantlyreduced.

Message Control

Passwords

• UseComplexPasswords• Don’treuseyourpassword• Changeyourpassword

Areweexaggeratingtheimportanceofpasswords?PasswordComplexity,reuseandexpiryisenforcedbymostauthenticationsolutionsandapplications.Explainyourownpolicy.Whatisourcoverage?Systemsthatdon’tenforcepasswordcomplexitycansendwrongmessageorconfuseusers.User’swillchoosetheweakestpasswordthesystempermits.

Message Control

Passwords

Don’tshareyourpassword.(Willinglyorgettrickedthroughphishing)

Whereitreallymatters:Usemultifactorauthentication(smartcard,HW/SWToken,biometricsetc.)

PrivilegedAccessManagement.

BehavioralAnalysis

Message Control

DeviceLoss

Don’tleaveyourdevicesunattended.

Protectthedevicesothereisnoimpactifthedeviceislost/stolen:Thattypicallyinvolvesenforcingpasswords,encryption,Backup,MDMetc.

Message Control

PhysicalSecurity

Tailgating SecurityGuards,turnstiles,Cameraanalytics(facialrecognition),multiplepeopledetection(lasers),mantrap

Ensurethatdoorstocontrolledareasclosesecurelyafterenteringorexiting.

Message Control

InstallabeepersimilartoyourfridgeJ

Challengepeoplethatattempttofollowyouthroughdoors.

• Protectwhateverassetsbehindthatparticulardoorwithadditionalcontrols.• Useasecurityguard.

PublicWi-Fi

BecarefulwithpublicWi-Fi.Encryptedvs.unencryptedWi-Fietc.

• EncryptedWi-Fithatyoudon’tmanageisasunsecureasanonencryptedWi-Fi.• Don’tallowconnectingtocorporateresourcesunlessaVPN/Micro-VPNconnectionisutilized.

Message Control

https:\\

Differencebetweenhttpandhttps. • Focusonscenariosrelevanttothecorporateenvironment.• UseVPN.• Avoidsendingmixedmessages.Makesureyourinternalservicesareusingvalidcertificates!

Message Control

Summary

• AvoidExternalities:• Involvethebusinessinthedecisionmakingorfindbetterrisktreatmentplans.

• Alwaysaskifthereissomethingmorewecandobeforeaskingenduserstoplaytheirpart.• Anyaction,decisionetc.theenduserhastotakeisaneffortthatshouldnotbeunderestimated.• Focusonreducingimpact.• GetSecurityrightfirst,thanAwareness.

Thankyou