Finding Your Way In the Dark: Security From First Principles

Susan Sons

Senior Systems Analyst, IU CACR  |  Information Security Officer, OSG

https://cacr.iu.edu/principles
http://security.engineering/talks

Across Time

  • The principles worked for Sun Tzu, for Augustus Caesar, for Cicero.
     
  • They work as well with paper and ink records as with digital databases.
     
  • They work on things I haven't thought of yet.
     
  • Quit starting over every couple of years.

Across Roles

  • What would happen if your programmers, systems administrators, policy-makers, managers, and information security experts all spoke the same language?

 

  • It doesn't help security if management doesn't know enough to prioritize, or the systems and code owners don't know enough to implement.

Death By Checklists

Where does information security

come from?

Just Seven Principles

Don't be this guy.

The Information Security Practice Principles (ISPP)

  • Comprehensivity:   Am I covering all of my bases?
  • Opportunity:   Am I taking advantage of my environment?
  • Rigor:  What is correct behavior, and how am I ensuring it?
  • Minimization:  Can this be a smaller target?
  • Compartmentation: Is this made of distinct part with limited interactions?
  • Fault Tolerance:  What happens if this fails?
  • Proportionality:  Is this worth it?

You've probably seen some of these before:

  • Comprehensivity:   End-to-end encryption, Inventory, Reconnaisance
  • Opportunity:   Information Sharing, Common Tools, Pentesting
  • Rigor:  Governance, Monitoring, Auditing, Follow-Through
  • Minimization:  Attack Surface, Compactness, Data Minimization
  • Compartmentation: Least Privilege, Forward Secrecy, Airgap, Clean APIs
  • Fault Tolerance:  Resilience, Revocability, Defense in Depth
  • Proportionality:  Usability, Risk Acceptance, Fighting to the Goal

The Principles

In Practice

Comprehensivity

Opportunity

Rigor

Minimization

Compartmentation

Fault Tolerance

Proportionality

The Information Security Practice Principles (ISPP)

  • Comprehensivity:   Am I covering all of my bases?
  • Opportunity:   Am I taking advantage of my environment?
  • Rigor:  What is correct behavior, and how am I ensuring it?
  • Minimization:  Can this be a smaller target?
  • Compartmentation: Is this made of distinct part with limited interactions?
  • Fault Tolerance:  What happens if this fails?
  • Proportionality:  Is this worth it?

Q & A

Don't stop now!

Using and Sharing This Work:

Creative Commons License  "Finding Your Way In the Dark: Information Security From First Principles" by Susan Sons is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

 

Please credit Susan Sons and the IU Center for Applied Cybersecurity Research when using this presentation.

Permissions beyond the scope of this license may be available; send inquiries to sesons@iu.edu.

 

Slides and talk notes will be available by the end of the day tomorrow at:

http://security.engineering/talks

Finding Your Way In The Dark

By Susan Sons

Finding Your Way In The Dark

Presented at the 2017 NSF Cybersecurity Summit, "Finding Your Way In the Dark: Security From First Principles" is a lesson in stepping back from checklists and vague requirements to do real information security from first principles, using IU-CACR's Information Security Practice Principles.

  • 156
Loading comments...

More from Susan Sons