Fail, Learn, Fix: Improving Security The Old-Fashioned Way

Transcript

1. Fail, Learn, Fix: Improving Security The Old-Fashioned Way Bryan Payne

   @bdpsecurity
2. None
3. None
4. None

5. 0 37.5 75 112.5 150 2002 2003 2004 2005 2006

   2007 2008 2009 2010 2011 2012 2013 2014 2015 Electrocution Deaths in Construction (in US) Data from The Center for Construction Research and Training
6. None

7. Fail, Learn, Fix in Computing

8. symbolics.com

9. Therac-25

10. Therac-25 software controlled radiotherapy machine

11. ; V[0], V[1] is the 64 bit input vector mov

    V_0H Y_HIGH mov V_0L Y_LOW mov V_1H Z_HIGH mov V_1L Z_LOW ; encode V[0], V[1] jsr r7 ENCODE ; CTX is the cipher text mov Y_HIGH CTX_0H mov Y_LOW CTX_0L mov Z_HIGH CTX_1H mov Z_LOW CTX_1L ; reverse the encryption jsr r7 DECODE ; PTX is the recovered plain text ; should be the same as V[0], V[1] mov Y_HIGH PTX_0H mov Y_LOW PTX_0L mov Z_HIGH PTX_1H mov Z_LOW PTX_1L halt Image created by Stefan Kögl

12. • Lack of documentation • Insufficient testing • Cryptic /

    frequent error messages • Complicated software programmed in assembly language • Custom real time operating system • No fault tolerance / redundancy • Systemic failures — no hardware safeguards for software faults Therac-25: Major Flaws

13. • Test properly and thoroughly • Software quality and assurance

    must be a design priority from the beginning • Safety and quality are system attributes, not code attributes • Interface usability is important • Safety critical systems should be created by qualified personnel Therac-25: Learnings

14. • Overconfidence in software • Confusing reliability with safety •

    Lack of defensive design • Unrealistic risk assessments • Inadequate investigation of incident • Inadequate software and system engineering practices • Software reuse • Safe vs “Friendly” User Interfaces • User and Government Oversight Standards Therac-25: 30 years later https://www.computer.org/csdl/mags/co/2017/11/mco2017110008.html

15. What would have happened if the Therac-25 failure didn’t occur?

16. Fail, Learn, Fix in Security

17. None

18. “…security is expensive to set up and a nuisance to

    run… While we await a catastrophe, simpler setup is the most important step toward better security.” Butler Lampson, USENIX Security Keynote Address, 2005

19. Image created by Johanna Pung for Wikimedia Deutschland

20. Top 5 Action Varieties in Incidents (2017) DoS Loss Phishing

    Misdelivery Ransomware 0 7500 15000 22500 30000 Data from Verizon Data Breach Investigations Report, 2018

21. Gpbs 0 200 400 600 800 2002 2003 2004 2005

    2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Largest DDoS (Approx) Data from Worldwide Infrastructure Security Report, NETSCOUT Arbor

22. Top 5 Action Varieties in Breaches (2017) Stolen Creds RAM

    Scraper Phishing Priv Abuse Misdelivery 0 100 200 300 400 Data from Verizon Data Breach Investigations Report, 2018

23. 0 400 800 1200 1600 2005 2006 2007 2008 2009

    2010 2011 2012 2013 2014 2015 2016 2017 Records Exposed (in Millions) Data Breaches Data from statista.com

24. Fail Learn Fix

25. Fail Learn Fix A+

26. Fail Learn Fix A+ C

27. Fail Learn Fix A+ C F

28. Paths to Success

29. None

30. Image from https://www.flickr.com/photos/stampinmom/

31. Security Pattern Catalog http://www.munawarhafiz.com/securitypatterncatalog/

32. Image fromhttps://www.flickr.com/photos/slgc/

33. Alice (TLS Endpoint) Bob (TLS Client) Cert & Key Cert

    & Key

34. Alice (TLS Endpoint) Bob (TLS Client) Cert & Key Cert

    & Key Certificate Authority HSM

35. Alice (TLS Endpoint) Bob (TLS Client) Cert & Key Cert

    & Key Certificate Authority HSM • Cert lifetime? • Key size? • Key type (RSA, DSA, etc)? • Intermediate root certs? • DHparms? • Trust in ID verification? • Deploy root certs? • Protect keys? • Client-side cert/key? • SSL/TLS versions? • Cipher suites? • HSTS? • SSL/TLS library? • Cert validation? • Client compatibility? • Perfect forward secrecy?

36. ENDPOINT_SECURITY=enabled

37. None

38. Failing Better

39. • Align on how we talk about our systems and

    our failures • Share lessons across the industry • Identify trends • Connect trends to risk / impact Learning Better

40. • Security experts agree on proper patterns for fixing problems

    • Create real world implementations of the patterns • Ensure that it is trivial to use implementations correctly • Integrate security into computing ecosystem Fixing Better

41. Success Stories

42. None

43. Graphs from https://arstechnica.com/information-technology/2013/10/internet-explorer-6-usage-drops-below-5-percent-in-september/

44. 0 25 50 75 100 Aug 2015 Feb 2016 Aug

    2016 Feb 2017 Aug 2017 Feb 2018 Aug 2018 Percentage of Alexa 1M Sites With HTTPS Data from https://scotthelme.co.uk/alexa-top-1-million-analysis-august-2018/

45. Secure the system… for everyone! Fail Learn Fix

46. Fail, Learn, Fix: Improving Security The Old-Fashioned Way Bryan Payne

    @bdpsecurity