Security Debt, Running with Scissors

hi there and welcome thank you all for having me here at besides athens as virtual as it is i hope that next year we'll be able to do this in person so i'm dave lewis and my talk today is security debt and running with scissors and we'll get into what that means in just a second so i've been in security now for the better part of 30 years and i have done pretty much every role along the way up to and including being a cso for a power company and i have always been of a hacker mind uh when i got started back in 1983. i hate that i can say that um i was really

having a good time you know duping video games telling my kids in school that sort of fun stuff and well time has skipped ahead on us as it always does and now i'm a pretty much grizzled old graybeard and a rather frequent coffee drinker um and it's been interesting over the last couple years during the course of the pandemic i got into a couple of side ventures of being uh involved with a whiskey distillery as well as a soccer club here in canada and it's been uh it's been really interesting to be able to you know try different things even though we have been and for a large part of it locked down but now hopefully we are coming to a

better place i want to believe i also would love it if this virus would just go away so i am canadian uh so sorry about that um it is you know running joke here in canada um and you know we have to keep our wits about ourselves because you know so many times we have issues that crop up and we often forget about the human element so we have to be very cognizant that we are taking time to take care of our own mental health as well as those around us so having a good laugh every once in a while doesn't hurt because we have far too many soul-crushing meetings and you know what you know we have to be very

cognizant of that because there are better ways to do things and over the course of the last couple years we've actually found that we can be very productive as security professionals in this climate so that has been a real bonus in that regard so i myself identify as a hacker and that means that well most of the world is not a big fan of us hackers quite literally for me is a term of someone with an innate curiosity about how things work how we can take them apart put them back together again and the criminal side of things is something that i refer to as the attacker so we have to make sure that we are owning our own lingua franca

because otherwise the media will spin it for us so back many years ago i got my first apartment back many years ago and the first thing i did after my folks drove off and it was just my roommate and i was i grabbed a pair of scissors and i ran around the apartment and my roommate thought i had completely lost my mind and wasn't too far from incorrect he wasn't too far from the right you get me um so i i just thought it was an ultimate act of rebellion not taking into account that this could have been a rather unfortunate accident if i had tripped and this is really how i like to frame

security debt now for me security debt is a technical debt that has manifested a security issue and we'll talk about that a little bit more later and it is very much akin to running around with a pair of scissors in your hand seemed like a good idea at the time so we have to make sure that we're looking at how we're doing security or in our environment and you know just because something's inside your firewall doesn't mean it's necessarily secure because i have worked in an organization in the past where that was actually said to me by a cio and the problem here was that you know security wasn't part of the equation it was a flat network

and the phrase that was said to me was that we trust everyone who works here which is all well and good because you know ransomware trusts everybody too they trust us to make mistakes ransomware really is the debt collector for security debt and we have to make sure that we are not making it easier for attackers to be able to get their job done another thing here too is you know we all like to be environmentally friendly which is a good thing except when it comes to passwords now i stole this from my friend karen elzary and you know what this is a great idea here because we have to make sure that we are not

recycling passwords we are not reusing them on multiple sites from our internet banking to you know whatever it happens to be because the attackers know this and they will go after sites and compromise them and then reuse those credentials to try and escalate their privilege so we've got to make sure that we are not making their jobs any easier because as a security professional we always feel like this or at least i do and hopefully we can get to a better place so we are not feeling like this constantly so when we're born into this world we have to understand that we are defaulting to trust now malcolm gladwell talked about this in his book talking to

strangers that when we're born in this world we are looking for food we are looking for shelter we are looking to be safe and as a result we don't have an innate understanding as to what it means to be you know securing our environment and making sure that you know attackers can't cause us undue harm we are just reaching out and hoping for the best now this does not translate into the modern uh world and when i say that from the perspective of computer security we want to make sure that we are trust but verify and verify again because we can't just accept at face value that someone is who they say they are we have to make

sure that trust is a absolute factor in everything we do but it's established trust because trust is ephemeral we want to make sure that we are not just saying oh i trust frank because frank is somebody i've always known because frank might not be frank behind the keyboard anymore frank might have lost control of his own credentials so we have to always keep that in mind because in the last couple years we've really seen that our security paradigm has shifted our threats are different i've been very fortunate that i've been a home office user for many years so a lot of this was old hat for me but too many people have you know really had

a hard time adjusting because before the pandemic we had folks that would say oh i'm going to work from home on friday which was code for you know i'm going off to the islands or i'm going off to the cottage or whatever it happens to be in your respective jurisdictions um and it has really changed how we view the world so in addition to the threats that we have to deal with you know cats running across keyboards dogs chewing through cables kids tapping on computers when they shouldn't we have to make sure that we also understand the human element as i mentioned before because the human element really does factor into security debt as well because we want to make

sure that we're being aware that you know people are in a different environment they are really trying very hard to get their jobs done in a safe and secure manner and they're they're worried about you know how are they going to be able to pay their bills so you know attackers know this and they tend to prey on this using uh various phishing techniques and things to that effect so we want to make sure that we're giving them tools that are going to help democratize security and keep them safe and secure at the same time because security debt as i mentioned earlier is really it's about a for me is a technological debt that has

manifested a security issue and i really like to do to make that absolute distinction because i have been in too many environments in the past where you know security debt really had become a wide open problem you know os2 warp systems running hvac that were attached to the internet um all sorts of really odd things like that an old polycom device that was configured to access the internet using default credentials and also with the ability to change that to allow ssh through it into the network these are kind of things that you might not think about at the time but they do manifest as a security issue once the attackers find them as absolutely but we

want to make sure that we're managing that risk to our environments because things like heartbleed and log4j these are going to continue to happen because when organizations are using open source software and to be clear there's nothing wrong with the open source software but they have to be able to manage the risk associated with it because at the time you know harpley's ssl or sorry the ssl library rather was being used by e-commerce sites to plant all over the planet like everybody was using it but at that point in time there was about one and a half people dedicated to maintaining that particular library thankfully that has been remedied and they are well financed and the rest of

it but it's just one example of many there are all sorts of open source libraries that find their way into commercial software that may not be properly maintained so we want to make sure that we are keeping on top of that and not introducing undue risk into our environment because there's different ways to you know handle risk you know do we avoid it accept it reduce transfer the thing here that really bothers me is far too often i see organizations just accept the risk they sign it off and move on and it's forgotten you know that piece of paper ends up in a desk drawer or it's you know filed off in some obscure part

of your computer that you never look at again and that's a problem because there's also the pieces you know who is accepting that risk who has the ability to accept the risk in your organization and what's your plan to deal with it in the future because things like this are going to continue to happen i've seen this in far too many environments where a beige desktop was in production running mission critical code written by a summer student that nobody knew how to port it off and they couldn't afford to shut it down because it was running a critical function this is just one example of many that far too many organizations have in their environments

last couple of years i've been doing sisa roundtables roughly about one per week and this has been a topic that has come up over and over again you know these old deprecated systems that we're running that are not maintained not patched but it's okay because we have a firewall it's an unfortunate notion that people put a little bit too much investment into the idea of a traditional perimeter you know the castle wall the moat and all the rest of it really that has been a deprecated notion for many many years we want to look at the access perimeter is or rather the perimeter as being anywhere an access decision is being made and we have to be very clear on

that so just accepting the risk is not going to help you it is going to buy you time and it's usually driven out of a it project you know the project manager just wants to get the end of job so they accept the risk they move on and the risk is forgotten so this can't continue because when we're looking at it from a project-based perspective there's usually no sunset provision for that particular project so when that project is built it could be meant to last for three years five years whatever it happens to be but then in most organizations it'll limp on for 10 to 20 years and this is a real problem when they're

not being patched not being maintained not being configured the people who installed it didn't properly document it and have now left the company these are the kind of things we have to make sure that we're keeping on top of on a consistent basis and when you're looking at security in your environment rather you want to understand what are those business priorities for your organization you know running around with your hair on fire saying oh this is really bad has extremely limited utility you want to look at it as you know what are the outcomes you're trying to achieve from a security perspective in order to satisfy the aspirations of your business fundamentally that's it at its core so

if you don't understand what it is you're securing in your business you know you're not just saying you know the answer is no um you're going to put yourself in a bit of a disadvantage you want to make sure you clearly understand what the mission of your organization is so that you can best protect it and from a business can you know context you know what is most important what are they like i was talking about what are they trying to achieve but we also have to make sure that you know we're not negatively impacting systems or in our environment we have to be able to facilitate that conversation with the developers with the business units so that they don't

just stand up in application hope for the best in the past i was dealing with one organization who built out a web application and put it live somehow bypassed security altogether and the very first day it went live they came to me and said oh we need a security review nothing like being timely the problem here is the first thing i did was view source on the web page and right there commented out in the code was the username and password for admin and password i wish i was joking but this was actually a thing what was made it worse was the particular manager for that development team looked at me and said you've hacked our application

i had to take a moment's pause that was a very difficult moment for me because i wanted to scream and pull my hair out but that wouldn't have accomplished anything i at that moment realized that there was a failure on my part and my team's part that we didn't clearly communicate to the organization what we expected from them from a security perspective and they clearly didn't have any understanding of that so rather than vilifying the users i had to find a way to have that conversation to better impart what security issues we needed to take care of so that this didn't continue in the future now we talked about project managers and how sometimes you would see you know

risks being accepted by the wrong people but you know within your own business ask yourself this question who has the ability to accept risk typically it ends up in the c suite but not every organization understands that and far too often i'll see organizations that are accepting risk that are individuals that have no capacity or authority to accept a risk one organization that i was at and i left shortly after this was we had done an entirely entire rather vulnerability assessment of the organization found absolute plethora of organizational issues vulnerabilities configuration issues imagine a flat network that spans the globe and we presented them to the head of i.t um wasn't even the cio who's the i.t

manager or director rather for that particular part of the organization and he said that's okay we'll just accept the risk this was very very difficult to wrap my head around at the time because at no point was he doing anything to mitigate the issues and it was really a trivial exercise for an attacker to breach that particular organization i sincerely hope that they have long since fixed these issues but it was um not something that they were really keen to take a serious look at at the time so when you're looking at you know the various security issues within your organizations what those risks are and when i say the risks you know i mean it

from quite literally an expectation of loss if this particular system goes down how much is that going to impact the business and how is it going to impact the business you know how can you quantify that and how can you improve the process in order to make sure that those risks are being dealt with so you know do you have a risk register um are you tracking these risks to end of job are you able to clearly communicate this to the auditors when they come calling and wow they come calling pardon me take a little water break so we want to make sure that we have a clear you know defined repeatable process on how we can address this and

reduce the risk in our organization fundamentally because if these risks are not addressed over time they compound and when you add in new systems add in new projects over time you end up with a layer of digital detritus that really can cause an unbelievable number of issues and if an attacker is able to breach one system all of a sudden they have the ability and capacity to pivot from one system to another and we don't want to make their job any easier than it already is we want to make sure that we are not allowing you know these issues to languish we have because you know fundamentally that danger does grow over time and if we have a lack of action on

our part it just presents targets of opportunity rather for the attacker and when we layer in things like iot the risks explode they are many and many many issues that come with this and i'm not talking just simply about consumer grade croft of you know the baby monitors and the wireless light bulbs and things like that but you know control systems that are being used to do manufacturing to handle control systems for power water and so on all of these things if they are not properly maintained we have a real problem and there is an adversarial relationship that i've seen historically between ot and it groups within organizations that handle these systems we have to find a way to build that

bridge to make sure that we're avoiding these security issues because as these things crop up they're going to add greater and greater levels of complexity in order to what in order to try that again to for our systems that we need to protect and we have to go through that lather rinse repeat and as we add in multiple systems that becomes far more difficult to address we can't just be that flaming sword of justice is running down the hall and saying the answer is still no and we have to make sure that when we make our slides that the color of the letters on the slide are the right color so you can actually read it which says the flaming

sword of justice so that refers to somebody that i knew many years ago who really his answer to everything was no and this does nothing to improve security for an organization that's an old-school old-school dated approach and it's really ineffective you know if we are not taking time to empower the organization to help them better understand how to secure the environment it's doing nothing to improve matters because that perimeter is not what it used to be it's everywhere anywhere an access decision is being made because data breaches are happening and they're happening all the time and it really does seem in a lot of cases like you know everybody wants one so we want to make sure that that is not

going to continue as a trend back in 2012 i started tracking data breaches and there was a few here and there you know i think the biggest one at the time was six and a half million records which was pretty huge back then but nowadays we're dealing with orders of magnitude of billions of records being compromised we can do better when we look at it and we see that a lot of the breaches are handled or rather facilitated through weak credentials like qwerty password123 things like that vilifying the users isn't going to help we have to give them better tools we have to give them better ways to protect things because if it's a weak unpatched

device that's on us if it's a bad password that's also on us and i don't expect non-technical people to be computer savvy so we want to give them something that is going to help protect their organization and make it as easy as possible for them to be safe and secure so they can you know concentrate on their core competencies continuous trusted acts is a great way to do this i mean some people say zero trust i like it this way because a lot of times i've heard people spit on the floor when they say zero trust xero trust really is fundamentally about reducing risk so if you say continuous trust and access is making sure that

you're going through and approving all the users devices and applications on a continuous basis because as i said trust is ephemeral this will help improve matters in the longer term and you want to make sure that security is part of your mission overall so just saying you know you're one little security group running around terrorizing you know people in your organization saying you know do this or bad things will happen isn't going to help improve matters we want to make sure that security it becomes part of the fabric the dna fundamentally of your organization because as a security professional i shouldn't have to exist this should be part of the overall structure but again going back to when we're born into the

world as malcolm gladwell said we default to trust and we want to make sure that we are helping organizations better understand this because you know security people are a little different we have to get away from the bailing and bailing wire and duct tape approach to putting our systems together we have to have clear strategies in order to get to that better place and we do that through having clear and concise planning you want to trust but verify within your organization you need to establish trust in your user identities devices applications we've got to sanitize our inputs and outputs for our applications i mean sql injection has been on the os top 10 since the beginning it's still

there still one of the absolute biggest ways for attackers to breach systems and we have to make sure that we're patching things we can't just we worried about you know the zero days i'm more fundamentally worried about the 100 day the 200-day vulnerability that hasn't been addressed that database service pack that has not been applied for three years these are the kind of things that keep me up at night so if we go through it and we look at zero trust or continuous trusted access however you want to call it it's about reducing risk so fundamentally you want to go through establish trust and user identities evaluate the device look at enforcing policies and make sure

that you know dave from canada is not suddenly showing up in mykonos attaching to your systems when i'm not actually on that side of the planet these are kind of things you want to make sure you're on top of securing the connections to all of your applications because you don't want me sitting at a coffee shop here in canada accessing your email systems when i don't work for you and you want to make sure that you're going through all of that data you're collecting and looking for anomalies because they will continue to happen because attackers are going to always be looking for ways to get into your systems so here's a real quick flow user

requests access to an application we establish trust on them using say multi-factor authentication or passwordless you know these are ways to do a better job of authentication uh looking at the trustworthiness device is it running windows me um in my web blogs for my own site i have actually seen that recently it wasn't when it was windows 98 somebody was trying to access my website and i'm sure that was a horrible user experience for them enforcing policies on user device combination make sure you know that dave is in canada not in mykonos or something or athens for example and making sure that you then build in a secure connection to the application in once you've done all of that go through

and look for those anomalies so if you take nothing else away from this talk today i need you to go and look up web authen it is a open standard that really is about passwordless authentication and this is a way to make it easier for the users to you know access their systems we want to make sure that we are making things that are going to democratize security making it as easy as possible for people to get their jobs done we've learned a lot of lessons along the way the problem is putting those into action we want to make sure that we are facilitating a better conversation because as security practitioners we have really gotten to that place where

we are now at the adults table we have we're being taken seriously so we have to make sure that we capitalize on that opportunity to better secure the environment by being a champion for the environment of our organizations to better secure them there are a lot of problems out there we've got to make sure that we're not worried about the sharks that are patrolling the waters we got to look at the ocean the ocean is really the bigger threat and often overlooked we want to make sure that we're building a safe and secure future and you're using multi-factor authentication using password lists making sure that you are reducing security debt in your environment are all ways to better

improve things because we don't need to cause ourselves problems we got enough of them to contend with as it is thank you very much for having me besides athens hopefully i'll be able to do this in person in the future if you want to drop me an email at gattica cisco.com or find me on twitter at gattaca it is truly an honor to be able to be part of this again today and uh thank you and see y'all later bye