[CB16] Keynote: How much security is too much? by Karsten Nohl
•
2 likes•1,483 views
Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda. Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better? Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security? This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely. --- Karsten Nohl Karsten Nohl has spoken widely on security gaps since 2006. He and co-investigators have uncovered flaws in mobile communication, payment, and other widely-used infrastructures. In his work at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specializing in emerging IT threats, Karsten challenges security assumptions in proprietary systems and is fascinated by the security-innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.
Report
Share
Recommended for you
Recommended for you
Recommended for you
Recommended for you
Recommended for you
Recommended for you
Recommended for you
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to [CB16] Keynote: How much security is too much? by Karsten Nohl
Similar to [CB16] Keynote: How much security is too much? by Karsten Nohl (20)
More from CODE BLUE
More from CODE BLUE (20)
Recently uploaded
Recently uploaded (20)
[CB16] Keynote: How much security is too much? by Karsten Nohl
- 2. What you will take away from this keynote 2 1. Hear from a security researcher and practitioner about which protections work and which are unnecessary 2. A better understanding of the security- innovation trade-off 3. Some ideas for deploying effective (but never perfect!) security measures
- 5. Agenda 5 1 Security researchers* take extreme positions 2 Many companies only react to extreme positions 3 The security community is fighting vulnerabilities, not risks Information security Product security * As reported in the media A B
- 7. Your iPhone getting hacked is rather unlikely 7 Pegasus malware FBI-style hardware hacking - 1 billion iOS devices possibly vulnerable + Only one (!) attempted infection + Apple patched the vulnerability within 10 days - Hack is now publicly available at low cost + Only possible with hardware access + Only works against the oldest 22% of iPhones (5c and older, March 2016) Source for graph: http://info.localytics.com/blog/how-will-apples-newest-iphone-impact-mobile-engagement iPhone market break-down [Apr 2016] 6 5S 6S 6 Plus 6S Plus 5 5C 4S 4
- 8. Agenda 8 1 Security researchers take extreme positions 2 Many companies only react to extreme positions 3 The security community is fighting vulnerabilities, not risks Product security A
- 9. 9 Android 654.44.3 (and older) Hacked devices vs. market break-down (%) 0 50 100 Market break- down Hacked phones ~2% hacked Not hacked Few Android phones get hacked; those that do are outdated Source: developer.android.com/about/dashboards/index.html , https://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf,
- 10. Should mobile really be a chief security concern? 10 <0.1% ~2% (<0.2% for current devices) 20-40% iOS infection rate Android infection rate Windows infection rate http://www.pandasecurity.com/mediacenter/src/uploads/2016/05/Pandalabs-2016-T1-EN-LR.pdf
- 11. Companies InfoSec priorities are not aligned with actual incidents 11 vs. 1. Buy iOS security software 2. Ban or lock down Android devices … 10. Do something uncreative about Windows security, like upgrading antivirus software 1. Windows 2. Windows 3. Social engineering 4. Windows … 100.Android ILLUSTRATIVE Typical corporate InfoSec priorities Actual endpoint hacking incidents
- 12. Agenda 12 1 Security researchers take extreme positions 2 Many companies only react to extreme positions 3 The security community is fighting vulnerabilities, not risks Product security A
- 13. Your time is best spent protecting from most likely threats 13 Low Medium High Vulnerability / Hacking ease Hacker incentive Damage Risk Don’t bother protecting your Internet- connected computers from BadUSB before you solved the malware challenge Infect computers from USB firmwares Local attack propagation (Varies by system) Infect Windows through e-mail attachments or malicious websites Remote infection (Varies by system) BadUSB Targeted malware ILLUSTRATIVE
- 15. Security caution can delay safety, and ultimately kill people 15 0 1 2 3 4 5 1970 1980 1990 2000 2010 2020 Car fatalities per 100 million miles [US] Autonomous cars?Airbags Adaptive cruise control ABS ESC § If we test all new car components for hacking risks, we delay their introduction § A delay of 3 months due to security design and testing means more people get killed on the road § 200.000 more people die within the next 10 years SOURCE: https://en.m.wikipedia.org/wiki/List_of_motor_vehicle_deaths_in_U.S._by_year
- 16. Agenda 16 1 Everybody breaks security rules (but we don’t usually talk about it) 2 Unpopular security controls are not effective, and worse: they inhibit innovation 3 For security or innovation to work, we need user-friendly solutions 4 Threat monitoring is user-friendly. It increases motivation, productivity, innovation and security Product security Information security B A
- 18. Large hacks are often the result of protections circumvented by people who “need to do their job” 18 Hacking case Target lost credit card data for 300 million customers Root cause A Target supplier installed a remote access tool to tunnel into target network for maintenance Target’s CEO Steps Down Following The Massive Data Breach
- 19. Agenda 19 1 Everybody breaks security rules 2 Unpopular security controls are not effective, and worse: they inhibit innovation 3 For security or innovation to work, we need user-friendly solutions 4 Threat monitoring is user-friendly. It increases motivation, productivity, innovation and security Information security B
- 20. 20
- 22. Circumventing restrictive controls often is net positive 22 Area Incident example Cost Destructive damage § Scada hack damages factory 10m 2% Lost revenue § Major government contract does not close 50m 1% Image impact § Major marketing campaign needed to offset hacking impact § Smaller campaign needed to offset smaller hacking impact 15m 1.5m 1% 10% Competitive damage § Theft of major IP (patent application, design document) § Negotiation details stolen (M&A, long- term contracts) 5m 2m 10% 10% Effective total cost per year <2m Likelihood per year Trade-off function. Invest until damage elasticity = incremental protection effort Security can save millions vs. § “Billion dollar ideas” mostly grow from creative people freely playing with innovative technology, which is the opposite of what security often aims for § Microsoft paid USD 9 billion to buy Skype, a technology the Microsoft policies would not allow § German “Datenschutz” vs. Silicon Valley profits Trade-off function. Protect until and as long as innovation can flourish Restrictive security can destroy billions in value
- 23. Too little and too much protection hinders innovation 23 Damage Protection effort Innovation potential Incidents spread fear Restrictions kill innovation energy
- 24. Agenda 24 1 Everybody breaks security rules 2 Unpopular security controls are not effective, and worse: they inhibit innovation 3 For security or innovation to work, we need user-friendly solutions 4 Threat monitoring is user-friendly. It increases motivation, productivity, innovation and security Information security B
- 25. Less-restrictive protection alternatives often exist 25 § Many complex passwords § Web proxy blocklists § No admin rights for users § Corporate phones (Blackberrys) § Endless pentesting § Security policy § DLP Restrictive protections § Single-sign-on using smartphones § SSL termination and monitoring § Process monitoring § BYOD with ActiveSync and VPN § Bug bounties § Awareness campaigns § Awareness; or simply more trust Innovation-friendly alternatives Where no restrictive alternative exists, close risk monitoring may allow you to keep restrictive protection switched off until a risk becomes real
- 26. Agenda 26 1 Everybody breaks security rules 2 Unpopular security controls are not effective, and worse: they inhibit innovation 3 For security or innovation to work, we need user-friendly solutions 4 Threat monitoring is user-friendly. It increases motivation, productivity, innovation and security Information security B
- 28. SOC ramp-up delivers fast results only in top-down manner Bottom-up – Start with data Top-down – Start with threats 18 months Days per use case Forensically investigate incidents Start with most relevant threats Create tailored use cases Collect only data needed for current use case § Add advanced use cases § Generate alarms § Become familiar with data § Integrate more sources § Collect available data sources § Create simple use cases 28 vs
- 29. Take aways 29 Questions? Karsten Nohl <nohl@srlabs.de> 2 3 4 The largest risk-cost trade-off is between restrictions and innovation potential Often, innovation-friendly alternatives exist that can replace restrictive choices Risks need to be monitored and managed: “Protection from everything” kills innovation, thereby kills the very things you want to protect 1 We chase after vulnerabilities instead of risks by forgetting about hackers’ incentives