[cb16] keynote: how much security is too much? by karsten nohl
TRANSCRIPT
![Page 2: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/2.jpg)
Whatyouwilltakeawayfromthiskeynote
2
1. Hearfromasecurityresearcherandpractitioneraboutwhichprotectionsworkandwhichareunnecessary
2. Abetterunderstandingofthesecurity-innovationtrade-off
3. Someideasfordeployingeffective(butneverperfect!)securitymeasures
![Page 3: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/3.jpg)
Howsecurityprosviewthemselves
3
vs.
![Page 4: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/4.jpg)
4
Productsecurity Informationsecurity
Removehackingrisksforyourcustomers
Protectyourownsystemsfromhacking
WeaskthequestionHowmuchsecurityistoomuch?intwoareas
A B
![Page 5: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/5.jpg)
Agenda
5
1 Securityresearchers*takeextremepositions
2 Manycompaniesonlyreacttoextremepositions
3 Thesecuritycommunityisfightingvulnerabilities,notrisks
Informationsecurity
Productsecurity
*Asreportedinthemedia
A
B
![Page 6: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/6.jpg)
TerribleyearforiOSsecurity,right?
6
Pegasusmalware
FBI-stylehardwarehacking
![Page 7: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/7.jpg)
YouriPhonegettinghackedisratherunlikely
7
Pegasusmalware
FBI-stylehardwarehacking
- 1billioniOSdevicespossiblyvulnerable
+ Onlyone(!)attemptedinfection
+ Applepatchedthevulnerabilitywithin10days
- Hackisnowpubliclyavailableatlowcost
+ Onlypossiblewithhardwareaccess
+ Onlyworksagainsttheoldest22%ofiPhones(5candolder,March2016)
Sourceforgraph:http://info.localytics.com/blog/how-will-apples-newest-iphone-impact-mobile-engagement
iPhonemarketbreak-down[Apr2016]
65S6S6Plus6SPlus55C4S4
![Page 8: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/8.jpg)
Agenda
8
1 Securityresearcherstakeextremepositions
2 Manycompaniesonlyreacttoextremepositions
3 Thesecuritycommunityisfightingvulnerabilities,notrisks
ProductsecurityA
![Page 9: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/9.jpg)
9
Android 654.44.3(andolder)
Hackeddevices vs.marketbreak-down(%)
0 50 100
Marketbreak-down
Hackedphones
~2%hacked
Nothacked
FewAndroidphonesgethacked;thosethatdoareoutdated
Source:developer.android.com/about/dashboards/index.html ,https://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf,
![Page 10: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/10.jpg)
Shouldmobilereallybeachiefsecurityconcern?
10
<0.1%~2%
(<0.2%forcurrentdevices) 20-40%
iOSinfectionrate Androidinfectionrate Windowsinfectionrate
http://www.pandasecurity.com/mediacenter/src/uploads/2016/05/Pandalabs-2016-T1-EN-LR.pdf
![Page 11: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/11.jpg)
CompaniesInfoSecprioritiesarenotalignedwithactualincidents
11
vs.
1. BuyiOS securitysoftware
2. BanorlockdownAndroiddevices
…
10. DosomethinguncreativeaboutWindows security,likeupgradingantivirussoftware
1. Windows
2. Windows
3. Socialengineering
4. Windows
…
100.Android
ILLUSTRATIVE
TypicalcorporateInfoSecpriorities Actualendpointhackingincidents
![Page 12: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/12.jpg)
Agenda
12
1 Securityresearcherstakeextremepositions
2 Manycompaniesonlyreacttoextremepositions
3 Thesecuritycommunityisfightingvulnerabilities,notrisks
ProductsecurityA
![Page 13: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/13.jpg)
Yourtimeisbestspentprotectingfrommostlikelythreats
13
Low Medium High
Vulnerability/Hackingease Hackerincentive Damage Risk
Don’tbotherprotectingyourInternet-connectedcomputersfromBadUSBbeforeyousolvedthemalwarechallenge
InfectcomputersfromUSBfirmwares
Localattackpropagation
(Variesbysystem)
InfectWindowsthroughe-mailattachmentsormaliciouswebsites
Remoteinfection (Variesbysystem)
BadUSB
Targetedmalware
ILLUSTRATIVE
![Page 14: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/14.jpg)
Nextbighackingfrontier:Cars?
14
![Page 15: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/15.jpg)
Securitycautioncandelaysafety,andultimatelykillpeople
15
0
1
2
3
4
5
1970 1980 1990 2000 2010 2020
Carfatalitiesper100millionmiles[US]
Autonomouscars?Airbags
Adaptivecruisecontrol
ABS
ESC
§ Ifwetestallnewcarcomponentsforhackingrisks,wedelaytheirintroduction
§ Adelayof3monthsduetosecuritydesignandtestingmeansmorepeoplegetkilledontheroad
§ 200.000 morepeoplediewithinthenext10years
SOURCE:https://en.m.wikipedia.org/wiki/List_of_motor_vehicle_deaths_in_U.S._by_year
![Page 16: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/16.jpg)
Agenda
16
1 Everybodybreakssecurityrules(butwedon’tusuallytalkaboutit)
2 Unpopularsecuritycontrolsarenoteffective,andworse:theyinhibitinnovation
3 Forsecurityor innovationtowork,weneeduser-friendlysolutions
4 Threatmonitoringisuser-friendly.Itincreasesmotivation,productivity,innovationand security
Productsecurity
InformationsecurityB
A
![Page 17: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/17.jpg)
Restrictiveprotectionsareeasilyandoftencircumvented
17
Standardcircumvention
Skypetunnelsitstrafficthroughwebproxiesandregularlychangesitsserveraddresses
Standard“protection”practice
Blockeverythingelseatfirewall
Corporateuser
Internet
✗
Funnelwebbrowsingthroughproxyserver
![Page 18: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/18.jpg)
Largehacksareoftentheresultofprotectionscircumventedbypeoplewho“needtodotheirjob”
18
Hackingcase
Target lostcreditcarddatafor300millioncustomers
Rootcause
ATargetsupplierinstalledaremoteaccesstooltotunnelintotargetnetworkformaintenance
Target’s CEO Steps Down Following The Massive Data Breach
![Page 19: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/19.jpg)
Agenda
19
1 Everybodybreakssecurityrules
2 Unpopularsecuritycontrolsarenoteffective,andworse:theyinhibitinnovation
3 Forsecurityor innovationtowork,weneeduser-friendlysolutions
4 Threatmonitoringisuser-friendly.Itincreasesmotivation,productivity,innovationand security
InformationsecurityB
![Page 20: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/20.jpg)
20
![Page 21: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/21.jpg)
Casestudy– typicalEnterprise/SOA busevadesclassicnetworksecuritytechniques
21
Low-levelprotectionsthatdonotpreventapplevelhacksarenotshown:firewalls,IPS,proxies,andSSLgateways
Servicebus
Authenticationserver
Criticaldatabases
Userrequestsareoftenpassedonallthewaytocriticalservicesonthebus
Externalandinternalusers
Webapplicationfirewall
(unmanaged)
Applicationservers
App
App
![Page 22: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/22.jpg)
Circumventingrestrictivecontrolsoftenisnetpositive
22
Area Incidentexample Cost
Destructivedamage
§ Scadahackdamagesfactory 10m 2%
Lostrevenue § Majorgovernmentcontractdoesnotclose
50m 1%
Imageimpact
§ Majormarketingcampaignneededtooffsethackingimpact
§ Smallercampaignneededtooffsetsmallerhackingimpact
15m
1.5m
1%
10%
Competitivedamage
§ TheftofmajorIP(patentapplication,designdocument)
§ Negotiationdetailsstolen(M&A,long-termcontracts)
5m
2m
10%
10%
Effectivetotalcostperyear <2m
Likelihoodperyear
Trade-offfunction. Investuntildamageelasticity=incrementalprotectioneffort
Securitycansavemillions vs.
§ “Billiondollarideas”mostlygrowfromcreativepeoplefreelyplayingwithinnovativetechnology,whichistheoppositeofwhatsecurityoftenaimsfor
§ MicrosoftpaidUSD9billiontobuySkype,atechnologytheMicrosoftpolicieswouldnotallow
§ German“Datenschutz”vs.SiliconValleyprofits
Trade-offfunction.Protectuntilandaslongasinnovationcanflourish
Restrictivesecuritycandestroybillions invalue
![Page 23: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/23.jpg)
Toolittleandtoomuchprotectionhindersinnovation
23
Damage Protectioneffort Innovationpotential
Incidentsspreadfear
Restrictions killinnovationenergy
![Page 24: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/24.jpg)
Agenda
24
1 Everybodybreakssecurityrules
2 Unpopularsecuritycontrolsarenoteffective,andworse:theyinhibitinnovation
3 Forsecurityor innovationtowork,weneeduser-friendlysolutions
4 Threatmonitoringisuser-friendly.Itincreasesmotivation,productivity,innovationand security
InformationsecurityB
![Page 25: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/25.jpg)
Less-restrictiveprotectionalternativesoftenexist
25
§ Manycomplexpasswords
§ Webproxyblocklists
§ Noadminrightsforusers
§ Corporatephones(Blackberrys)
§ Endlesspentesting
§ Securitypolicy
§ DLP
Restrictiveprotections
§ Single-sign-onusingsmartphones
§ SSLterminationandmonitoring
§ Processmonitoring
§ BYODwithActiveSyncandVPN
§ Bugbounties
§ Awarenesscampaigns
§ Awareness;orsimplymoretrust
Innovation-friendlyalternatives
Wherenorestrictivealternativeexists,closeriskmonitoringmayallowyoutokeeprestrictiveprotectionswitchedoffuntilariskbecomesreal
![Page 26: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/26.jpg)
Agenda
26
1 Everybodybreakssecurityrules
2 Unpopularsecuritycontrolsarenoteffective,andworse:theyinhibitinnovation
3 Forsecurityorinnovationtowork,weneeduser-friendlysolutions
4 Threatmonitoringisuser-friendly.Itincreasesmotivation,productivity,innovationand security
InformationsecurityB
![Page 27: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/27.jpg)
ForestorTrees?(SecurityMonitoringishard!)
27
![Page 28: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/28.jpg)
SOCramp-updeliversfastresultsonlyintop-downmanner
Bottom-up – Start with data Top-down – Start with threats
18 months Days per use case
Forensically investigate incidents
Start with most relevant threats
Create tailored use cases
Collect only data needed for current use case
§ Add advanced use cases§ Generate alarms
§ Become familiar with data§ Integrate more sources
§ Collect available data sources§ Create simple use cases
28
vs
![Page 29: [CB16] Keynote: How much security is too much? by Karsten Nohl](https://reader031.vdocuments.mx/reader031/viewer/2022030304/5877569d1a28ab84388b76c9/html5/thumbnails/29.jpg)
Takeaways
29
Questions?Karsten Nohl <[email protected]>
2
3
4
Thelargestrisk-costtrade-offisbetweenrestrictionsandinnovation potential
Often,innovation-friendlyalternativesexistthatcanreplacerestrictivechoices
Risks needtobemonitored andmanaged:“Protectionfromeverything”killsinnovation,therebykillstheverythingsyouwanttoprotect
1 Wechaseaftervulnerabilitiesinsteadofrisks byforgettingabouthackers’incentives