Bow Ties in Infosec: Do They Have a Place?

hello welcome thank you very much but for listening for this talking and sitting in this room it's a bigger audience than I was imagining I'm new to InfoSec and I'm finding absolutely fascinating however there is though I've already failed we start again I'm new to imperfect and I'm new to presenting and I'm finding it all very fascinating however there is some overlap with what I was doing before in as much as the tools I was using and that's what I'm going to talk about today and it's a tool called bow time alysus and I was wondering whether anybody in the room has ever used bowtie analysis before I have a show of hands okay it's not that

so this is your chance to escape because it's a risk assessment tool I'm thinking you know what are you thinking dull unnecessary overly complex can I sneak out anything let me take us nope but actually risk assessment is at the center of any activity and InfoSec professional does in fact it's the driver if there were no risk we would be out of a job at least in this sector there's some excitement about it the risks a hacker ransomware if I we're all exciting terms not so in many cases of where I used to be in health and safety anybody fancy doing a risk assessment on flips and trips now I actually saw somebody trip this morning so they are important so

risk assessment in half and safety uses a range of techniques and one of these is the one I'm going to describe today and I'm going to briefly describe it in the context of explosions cars and data so getting on to explosions storing fuel is a high hazard activity and this is what can happen if you don't adequately control the risks this is shortly after the first explosion at buns field and users describe that incident as the biggest of its kind in peacetime Europe it was huge he call us about a billion pounds worth of damage and resulted in size of several million but at the center of this accident was a loss of containment a spill caused by a number of factors

one of which was a switch which stops the tank overflowing and in fact you won't be surprised to hear that there were two switches that should have stopped the tank overflowing but both of them failed now switches sale for a number of reasons but the switch that failed here it wasn't due to a mechanical failure it wasn't due to a electrical failure it was due to the fact that a padlock wasn't on the switch a map padlock meant the switch was left in an inoperable position and couldn't work and that the test showed somebody went along and tested the switch it actually worked but the fact the operator hadn't put the padlock back in the right place meant

the switch was inoperable so that one padlock caused one billion pounds worth of damage now I'm going to go through a bowtie I'm going to go through them several times and it's been pointed out that these diagrams can look quite confusing when you start off but all they are they're a diagram that show the key elements of an incident starting with a hazard initiating event threats consequences and barriers so what we've got is a hazard it's a product storage it's a flammable product and in the middle we've got what's called the initiating event which is a spill and that's sort of the top event and then we have threats that cause that spill and they can be for example overfilling

which is the case in one field or another one could be a vehicle collision hitting the tank and then on the right-hand side you put the impacts so an explosion that definitely happened at Banfield pollution that happened as well and you'll note this is necessarily a one-to-one relationship between the threats and the impacts and then you fill this diagram in with some barriers and I'm keeping this quite simple so for the overfilling it was a switch that should have been the barrier the prop stop the spill happening for a vehicle collision it could be a fence and then you get on to the barriers on the other side and the explosion in that ventilation gas detection or in terms of

pollution abundance now it's interesting to note that on the day of the explosion of buns filled the air was very very still so there wasn't any ventilation to limit the explosion so then you put all the lines in and you should be able to see where the term bowtie comes from so this is a bowtie diagram and it's in its bare bones what you've got is the hazard the top events threats which at initiating events impacts prevention barriers and mitigation barriers and getting back to our example having a barrier in place isn't enough having that switch wasn't enough someone needs to check it maintain it check the padlock is there and this is where the bowtie fits into a bigger

safety management system or risk management system the bowtie ground shows how the elements fit together but a follow-up exercise is to consider the critical tasks which ensure the integrity of those barriers so moving on to a risk that everyone probably in this room is used to taking and that's driving

so what are the threats a slippery road poor visibility lost some attention drugs alcohol tire blowouts there's a lot of threats one of the consequences vehicle crashes driver hurt driver impacts in but in the part of the vehicle whiplash so looking at one of these threats a slippery road what are the preventative barriers ABS defensive driving training address adjusting your drive is scheduled so you're not driving early in the morning when the roads particularly I see now my technical terms grippier stickier tires winter tires but it's an example one of the companies I worked for a few years ago said that all company cars should have a minimum tire depth of 2.5 millimeters so not the 1.8

which is the legal requirement they said all company cars should have a minimum tire depth of 2.5 and we will change the tires at that depth and that was because they'd looked at some of the day so related to grip when your tire depth was with below 2.5 and they wanted to implement that preventative barrier to ensure the best cars were less likely to slip on the roads so what was the main reason they did that to protect their employees yes to spend less money on crashes probably there's money they've done a calculation the money they'd spent probably on the tires in terms of changing them early was less than the money that they paid if their company

employees had accidents so now I'm just going to build up the diagram for driving so we've got a few more barriers in place so along the top we've got the slippery road so the barriers that you have in place the weather adjust your schedule abs tires minimum 2.5 millimeters tread depth and then you've got some other ones here some other threats loss of attention blow out and some other barriers then if we start to fill in the-- right and throw the diagram the mitigation barriers to stop you crashing or the driver impacting the internal part of the car we can have an automatic braking system skid recovery training seatbelts airbag but remember what I was saying

about barriers and having to be sure that they are in place that they work seatbelt is a good one it's in the car but it's no good if you're not wearing it so there needs to be some mechanism to ensure that the barriers are working so what we have in essence here in terms of the diagram is on the less a proactive proactive actions to mitigate to reduce risk and reactive on the rise so in terms of InfoSec what you could think about is on the left hand side you've got the section which is keeping the bad guys out and on the right hand side you've got limiting the damage once they're in so I'm now going to go

through quite a fillable process in terms of questions to build a bow tie diagram for InfoSec and force data so the first question you need to ask is what's the hazard put it a different way what has the potential to cause harm it's not a laptop let's say storing confidential data on a computer the next question is what happens when control is lost or what's the top event we need to consider unauthorized access to data might be an example and then the next question is what causes the hazard to be released or what are the threats the events or states which could lead to the top events in the absence of any safeguarding measures and to me this is

actually the hardest question and I'm sure all what some of you are thinking the threat landscape is always changing how can we ever put it on a piece paper well let's try and keep things simple and see how far we go also considering that there is still a huge number of reaches caused by known threats so I'm going to just start with four and I know I'm being very simplistic here physical intruder and not malicious internal intruder malicious internal intruder kind of remote intruder then on to our fourth question what are the potential outcomes so what are the worst-case scenarios if no mitigation barriers are in place and here's a whole load of them so exposure

of sensitive data is most obvious a competitor gains trade secrets data is deleted or corrupted reputational damage lost customers business damage lost productivity legal action probably you go on so back to our diagram and the fifth question what we need to consider is how we keep control and this is where it gets quite complicated and what we need to do is identify some effective barriers now one of the things I I noticed here is when trying to build this diagram up is some of the barriers that we have protects against all the threats so you'll see some complete barriers that go all the way down so for example up to date ante mount or malware all the way across but

then you've got different barriers to protect against the different threats now this is not perfect it's not complete it's an example and Iying says if several organizations went through the same exercise each bowtie would be different the order of the barriers isn't particularly important what is important to understand is that all of the barriers must fail for the threats to lead to the top event or thinking the other way around only one bearing has to work and I find that quite encouraging but the other thing to consider is there may well be vulnerabilities in each barrier they're not perfect and the way to think about this is to think of each barrier as a slice of Swiss cheese with the

vulnerabilities rep scented by the whole and all the holes must line up for a threat to penetrate the barriers I'm just going to show you this next diagram which is also something for the world of safety and it's actually called the Swiss cheese model and I've got it too fast so what you can see here it's new you got hack old me left and you've got your barriers and if all the holes are learn it line up all the vulnerabilities aren't lining up control is maintained so getting on for the right-hand side of the diagram how do we limit the severity of any access to an authorized data unauthorized access today so so I think

at the top of this is going to be an incident response plan without good plan most organizations will suffer more and then there are the individual barriers here such as backup recovery public relations plan all the things paetynn protection that can mitigate the damage so just because I have not paste the paper big enough this is perhaps what's the overall by diagram might look like now there is software to build up these diagrams they can become quite big but even when they are they do provide some clarity in terms of a whole system that you don't get in a different way so I'm just going to go through these things the six key questions that we had

to ask ourselves so what is the habit what has the potential to cause harm what happens when the hazard is released control is lost the top event what causes their hazard to be released what are the threats what are the consequences how can we prevent the hazards from being released the barriers are preventative barriers and how do we limit the severity for the mitigation barriers now another consideration needs to be thought about is that the barriers can fail and in reality you have to ask even more questions it's not as simple as those six and those questions are related to the integrity of the barriers they might fail take for example patching software failure in that barrier was a factor in

the recent ransomware attacks questions that need to be asked include how might the controls fail how might their effectiveness be undermined how do you make sure they don't fail what tasks need to be done to make sure the controls continue to work think back to that padlock how do we verify that the tasks have been done who does them how do they know when to do them how do they know what to do and is there a procedure a checklist to make sure they do it correctly so all these tasks and a critical tasks to supporting all those barriers those safeguarding their measures now that's sort of going outside the time we have today but if

you want to look into this in more detail there's a lot on the web about them so what we have here is a tool that is used in high hazard industries it's used in chemical industries it's used in energy it's used in aviation it started me using health it's held used to minimize the risk of harm to people and property now protecting data is also complex and I've greatly simplified in my examples here but if this technique is proven to be useful in the chemical industry where complexity is piped chemical processes machines computers people I think it probably is worth considering when protecting data so ultimately what we have here is a tool to support our efforts in reducing risk

and that could be the risk of data breaches it's not the type of tool you talk normally talk about so it's not one based on technology and application or a program it's more at all based on collaboration communication logical technique to actually build these diagrams you need a group technical people all in the same room talking to each other but the tool has the aim of reducing risk it provides clarity and it's used in some of the best safe safety systems in the world systems which do reduce risk and for those reasons I think bow tie analysis does have a place in in physic and a place in the system you use to ensure the security of your data so I encourage

you to have a look at them and if you've got any questions please ask away good question I think yeah you keep coming back to redoing the bow ties because obviously things are always changing so it is part of the system that you keep coming back to redoing them yes yes yes so it's not a static thing as things change you need to come back and look at them again yes yes actually that's one word I did miss that Alex yes it's definitely it's a it's a it's a qualitative technique so there's no numbers if you wanted to get onto a more quantitative technique you're into in terms of safety terms and health and safety to the fault tree analysis and a

venturi analysis which this links to but it's very much a qualitative technique yes any other questions yeah good that's good if you do definitely one company that does it I've never used it it's not you know I did all these just you could just do it by hand but there is there's a company that has a software that doesn't I think that is part of the iterative process and actually this tool was used initially to analyze incidents and accidents so I think it was a Piper alpha so it was used after an accident to actually feedback and and one of the few examples I have seen about on in the in Passaic area is it was used to

analyze part of the Stuxnet attack so there is one diagram that I've seen so it is though it was used to analyze attacks but incidents that it can also be use proactively well you do you get onto if you if you look this up further you get onto things called escalation factors and so that's when the barriers fail and what can escalates in terms of the incidents so yes it does get more complicated and there are more layers and I have kept it very high level here any other questions thank you you