are you really doing them
play

Are You REALLY Doing Them? Roger G. Johnston, Ph.D., CPP Right - PowerPoint PPT Presentation

Vulnerability Assessments: Are You REALLY Doing Them? Roger G. Johnston, Ph.D., CPP Right Brain Sekurity http://rbsekurity.com +1-630-551-0740 Terminology Threat: Who might attack, why, when, how, with what probability, and with what


  1. Vulnerability Assessments: Are You REALLY Doing Them? Roger G. Johnston, Ph.D., CPP Right Brain Sekurity http://rbsekurity.com +1-630-551-0740

  2. Terminology Threat: Who might attack, why, when, how, with what probability, and with what resources. (Includes information on goals and attack modes.) Threat Assessment (TA): Attempting to identify threats.

  3. Terminology Vulnerability : Flaw or weakness that could be exploited to cause undesirable consequences. Vulnerability Assessment (VA): Creatively devising & discover- ing (and perhaps demonstrating) ways to defeat a security device, system, or program. Should include thinking like the bad guys, and also suggesting countermeasures and security improvements. mimics what the bad guys do!

  4. Threat vs. Vulnerability Threat: Adversaries might try to steal PII information (SSNs, credit card numbers, etc.) from our computer systems to commit crimes. Vulnerability: We don’t keep our anti -malware software up to date. 4

  5. Purpose The purpose of a VA is to improve security & minimize risk, NOT to: • Pass a test • “Test” security • Generate metrics • Justify the status quo • Praise or accuse anybody • Check against some standard • Claim there are no vulnerabilities • Engender warm & happy feelings • Determine who gets salary increases • Rationalize the research & development • Apply a mindless, bureaucratic stamp of approval • Endorse a security product/program or Certify it as “good” or “ready to use” 5

  6. A VA is Not…  pen testing  “Red Teaming”  feature analysis  security auditing  quality control  threat assessment  reliability testing  efficiency testing  software scanning  operational assessment  fault or event tree analysis  compliance testing  acceptance testing (from safety engineering)  ergonomics testing  Design Basis Threat  performance testing  a security survey  response time testing  gap analysis 6

  7. Questions Vulnerability Assessors Ask And You Should, Too Vulnerability Assessments  Are vulnerabilities being confused with threats, assets needing protection, security or infrastructure features, or attack scenarios?  Are vulnerabilities being thought of as good news? (They should be!)  Are VAs being confused with other things like TAs or security “testing”?  Are they being done continuously, or at least frequently? 7

  8. Questions Vulnerability Assessors Ask And You Should, Too Vulnerability Assessments (con’t)  Are the following kinds of employees (even if not security or cyber experts) drafted to help examine your security: trouble-makers, creative types, loophole finders, questioners of authority, skeptics/cynics, hackers, narcissists, hands-on enthusiasts, and puzzle solvers.  Resiliency & PR preparation for when security inevitably fails? 8

  9. Questions Vulnerability Assessors Ask And You Should, Too Vulnerability Assessments (con’t)  Do your VAs suffer from any of these problems? - sham rigor - the Fallacy of Precision - lack of imagination - reactive not proactive - done only be insiders - shooting-the-messenger - conflicts of interest - cognitive dissonance - focused only on high-tech attacks - artificial constraints (scope, time, effort, modules/components/disciplines) - letting the good guys and the current security infrastructure/strategy define the vulnerabilities & attacks 9

  10. Questions Vulnerability Assessors Ask And You Should, Too IoT Devices  Use hardware passwords & device IDs?  Have you changed the default password & device ID, and security settings?  Devices adhere to emerging security standards?  Do the devices follow Minimalist Principles?  range & power  duty cycle  bandwidth  data acquisition  data retention & duration 10

  11. Questions Vulnerability Assessors Ask And You Should, Too IoT Devices ( con’t )  Trusted manufacturers & vendors?  Is security built in from the start, or just a last minute afterthought?  Early & iterative VAs on the devices?  Secure chain of custody? 11

  12. Questions Vulnerability Assessors Ask And You Should, Too Chain of Custody for Devices*  Are your devices safe from physical/electronic tampering (~20 secs), counterfeiting, and backdoor insertion including • at vendor or factory? • during shipments? • on loading dock? • before installation? • after installation? 12

  13. Questions Vulnerability Assessors Ask And You Should, Too Chain of Custody for Devices (con’t)  Is there a lot of empty space inside your devices? Are they frequently opened up and examined for tampering and alien electronics? Do you know what the insides are supposed to look like? Can you spot a counterfeit device?  Are you under the mistaken impression that: - “anti - counterfeiting” tags (even if high -tech) are difficult to lift or counterfeit? - tamper-indicating seals or packaging (even if high-tech) are difficult to spoof, and trivial to use? - sticky labels (even if high tech) provide effective tamper detection? - a mechanical tamper switch is serious security? - cargo/shipment supply chains are secure? - engineers understand security? 13

  14. Questions Vulnerability Assessors Ask And You Should, Too Physical Access Control for Cyber  Are your physical access control systems designed by the sales guy, amateurs, or your cyber security people?  Do your locked doors have hinges on the outside?  Can someone open the door without using the access control system and without it knowing?  Does your physical access control system know when an employee has left the control area?  Are you under the mistaken impression that biometric access control devices can’t be easily defeated? That biometric signatures can’t be easily counterfeited? 14

  15. Questions Vulnerability Assessors Ask And You Should, Too General Access Control  Do you have Role-Based Access Control , so that access is halted INSTANTLY when someone is promoted, given a new assignment, or terminated?  Do you periodically review access control privileges for all employees? 15

  16. Questions Vulnerability Assessors Ask And You Should, Too HR & Insider Threat Mitigation  Is HR’s role in security objectively evaluated at least annually? Does HR harm security instead of helping it?  If HR is indeed evil (likely), do managers, supervisors, & security managers try to compensate?  Do you rely on the 80% rule (“listen, empathize, validate”) to mitigate insider threats?  Do narcissists get their ego stroked on a regular basis?  Are there constraints on bully/harassing bosses?  Are retiring and terminated employees treated well? Is there a perp-walk for terminated employees? Is there considerable HR glee at firing employees? 16

  17. Questions Vulnerability Assessors Ask And You Should, Too HR & Insider Threat Mitigation (con’t)  Are background checks on key personnel done periodically and thoroughly, including interviewing acquaintances?  Do you do bribery anti-stings? 17

  18. Questions Vulnerability Assessors Ask And You Should, Too HR & Insider Threat Mitigation (con’t)  Do you exploit psychology research?  Sign a pledge of honesty at the top of documents, not the bottom.  Angry eye posters in critical areas.  Warn well-paid employees of the risk to themselves if they do something unethical, but warn low-paid employees of the potential harm to others.  Social influence for better security  Sunk-cost bias  Countermeasures to groupthink & to cognitive dissonance  Research on creativity  If someone has a security concern, including about a fellow employee, can they submit it anonymously? Does everybody know how? Is it safe? Does anybody do it? What happens when they do? 18

  19. Questions Vulnerability Assessors Ask And You Should, Too Security Culture & Management  Is Security getting confused with  Control  Hassling/Threating Employees  Privacy or Safety  Inventory Management  Compliance & Auditing  Is high-tech confused with high-security?  Is your security awareness & social engineering training effective? One-size-fits-all? 19

  20. Questions Vulnerability Assessors Ask And You Should, Too Security Culture & Management (con’t )  Do you warn employees about what happened elsewhere after a serious security incident?  Do people affected by security rules have input about them?  Do security rules get reviewed often?  Is there unwarranted faith in “layered security”? 20

  21. Questions Vulnerability Assessors Ask And You Should, Too Security Culture & Management (con’t)  Are employees told what security attacks look like, or just given an unmotivated list of “things not to do”?  Are security rules and procedures motivated and justified?  Is security “accountability” mostly through disciplining, firing, or scapegoating people?  Are awards and recognition given for good security practices, or is security only about bad news? 21

  22. Questions Vulnerability Assessors Ask And You Should, Too Cyber Specific Issues  Have a cyber monoculture?  Overlook the security benefits of OpenBSD, Linux, Mac OS X, and iOS, especially for routine use?  Is your SOC your NOC?  How do regular employees recognize legitimate IT personnel and instructions?  Use of 2-Factor Authentication? 22

Recommend


More recommend