October 31st, 2016The following is an writeup of the Ignite talk I gave at O'Reilly Security Conference on 2016-10-31 in NYC. As an Ignite talk, there's notably less written content than in my usual presentations, and the below is but an approximation of what I actually managed to relay in 15 seconds per slide. The slides are also available here and on slideshare.
Hi, my name is Jan. I'm from the Internet, and I'm here to help. Any of you nasty women and bad hombres on Twitter? I have a crazy idea for you: put that down. Ain't nobody got time for that. This is an ignite talk, I gotta hurry.
Frequently it seems that in #infosec we're chasing our own tails and fight uphill battles blindfolded with one arm tied behind our back, and that seems like a foolish thing to do, and maybe -- and that's just me being crazy here -- we shouldn't do that.
So let's not. Here's a little grab bag of the ideas that would usually be shot down. Maybe they don't work for you right now. Maybe they are batshit crazy. But maybe they can help you think differently. If they just make you pause a little, then I've accomplished my goals tonight.
So, my first advice: get pwned. Hard.
Seriously. There's nothing that focuses your company's attention on security like a major breach. Trust me, I've been there. All of a sudden your CEO will listen to you. Your board of directors and your VPs stop "accepting the risk" once they realize that the risk is not just theoretical.
But this is a tricky one: you don't want to get pwned and look like a fool. Make sure that at least your security team looks like they put up a good fight.
When in doubt, do what everybody else does. Blame it on nation state attackers and APT. Those are impossible to defend against, and because attribution is hard, nobody can prove whether it was that mysterious Someone Sitting On Their Bed That Weighs 400 Pounds or a true APT.
Next: to get buy-in from your execs, pay somebody a lot of money to tell you what you already know. Just by virtue of you paying money for it, they will all of a sudden listen.
The best part is: your consultants don't even have to do any work -- or exist. If they do exist, they should be coming up with pretty much what you've been recommending for years anyway. If they don't, one of you is likely wrong. Figure out who.
Next: know yourself a Filesystem Hierarchy Standard and some mount options.
If your base OS is immutable, then installing a persistent backdoor becomes so much harder. This isn't a new idea; we've had SELinux, secure levels, etc. for aeons. We have the technology, we can do this...
Stop snarking on Microsoft. They got a lot of stuff right. Powershell executable signatures, or kerberos come to mind.
Your network is pwned. Your hosts are pwned. Your employees' laptops are pwned. Yes, even the Macs. There is no meaningful difference between having your systems on your corporate network, your production network, or on the big bad internet. Save yourself the hassle and complexity of network ACLs and instead build your infrastructure under the assumption of a hostile environment.
Chances are, you are already running your services on other people's computers anyway, so stop pretending you can trust anything.
Next: give root access to everybody! You already do, anyway. How many services do you have where people log in that do not have sudo access? Is the assumption that a user account that requires a password is harder to take over than a root account key? They're pwned from your employees laptops anyway (see previous slide).
Instead of dealing with managing user accounts across all your systems, focus on managing unique, time-limited authentication tokens for all those who log in as root.
Allowing root for everybody too crazy for you? Ok, try this on for size: no logins, period.
If a system requires human attention, it's already compromised. Take it out of rotation, shut it down, destroy it.
Every time a user has to log in on a system, upon log-out, trigger a reboot, reimage.
Ok, so we reboot, reimage. You know what? While we're at it, let's apply all pending software updates.
We already have auto-updates on mobile, laptops, browsers. Let's do this for servers, too. (And while we're at it, schedule regular reboots just for kicks.)
Ok, so we got rid of regular users, root users, and we're auto-applying software updates on a regular basis. Our job here is done! Let's get rid of the entire security team!
You know what happens when you have a security team? You are telling everybody else that "security" is the job of the "security team", so why should they worry their little head about the cybers?
Security is everybody's responsibility; hire security experts into every team!
Yep. Get over yourself. "Dormant cyber pathogens" and "open cyber doors" are terrible and laughable and what kinds of idiots are coming up with those terms, but for better or worse, "cyber" is the word that the public understands to mean all the other things that we pretend we imply or ascertain through osmosis from our cyber twitters.
"Cyber" is the word that your CEO, your board of directors, your VPs, and your users hear and understand. A major task in information security is to communicate with people. So use the right language, even if you throw up in your mouth a little when you say "cyber attack".
And finally, my craziest idea yet. Focus. Stop doing all the things. Stop spinning, take a time out, sit down, and figure out exactly what your biggest threats are, what your biggest weak spots are, and what, if anything, you can do about that.
Identify four or five major initiatives that meaningfully reduce your attack surface and will stop your attackers' mode of operation. Then, shift all your resources to those tasks.
Yes, there will be a moment where the internet is on fire, and script kitties submit bug bounty reports, but is that the most important thing for your understaffed team to focus on?
If not, shift your focus on what matters. Sounds crazy, I know. Crazy like a fox.
Alright, so that's my five minutes. I have many more crazy ideas, and I know that not all of these will work for you, right now. But maybe you started thinking that if you were to start over, you could apply some of these.
If all you took away from all this was a brief moment of "Haha, that's ridiculous. Although... maybe not quite that, but... hmmm, yeah, that might work for us...", then I think this was worth your five minutes.
October 31st, 2016
[It's the people, stupid] [Index] [Know Your Enemy - An Introduction to Threat Modeling]