Finding Your Way In the Dark: Security From First Principles

Susan Sons

Senior Systems Analyst, IU Center for Applied Cybersecurity Research

https://cacr.iu.edu/principles
http://security.engineering

CIA  Triad

  • Confidentiality
  • Integrity
  • Availability

Confidentiality

Integrity

Availability

Information security is about reaching a goal: some combination of confidentiality, integrity, and availability for the information or system at hand.

 

The rest of this presentation is about the mechanisms by which we reach these goals.

Death By Checklists

Checklists Can Be Useful

As Tools, Not Rules

It's All About Risk Management

Carry out the mission...

...reduce risk...

...understand the risk you take.

Where does information security

come from?

Risk-based security alone:

  • Fuzzy
  • Vague
  • Unmeasurable, intuitive
  • Hard to teach
  • Hard to communicate
  • Pits mission leaders against risk-limiters

Risk-based security backed by the ISPP:

  • Concrete, but flexible
  • Measures can be evaluated and improved
  • Teachable
  • Aids communication
  • Turns risk-limiters into mission-protectors

Just Seven Principles

Don't be this guy.

Across Time

  • The principles worked for Sun Tzu, for Augustus Caesar, for Cicero.
     
  • They work as well with paper and ink records as with digital databases.
     
  • They work on things I haven't thought of yet.
     
  • Quit starting over every couple of years.

Across Roles

  • What would happen if your programmers, systems administrators, policy-makers, managers, and information security experts all spoke the same language?

 

  • It doesn't help security if management doesn't know enough to prioritize, or the systems and code owners don't know enough to implement.

The Information Security Practice Principles (ISPP)

  • Comprehensivity:   Am I covering all of my bases?
  • Opportunity:   Am I taking advantage of my environment?
  • Rigor:  What is correct behavior, and how am I ensuring it?
  • Minimization:  Can this be a smaller target?
  • Compartmentation: Is this made of distinct part with limited interactions?
  • Fault Tolerance:  What happens if this fails?
  • Proportionality:  Is this worth it?

You've probably seen some of these before:

  • Comprehensivity:   End-to-end encryption, Inventory, Reconnaisance
  • Opportunity:   Information Sharing, Common Tools, Pentesting
  • Rigor:  Governance, Monitoring, Auditing, Follow-Through
  • Minimization:  Attack Surface, Compactness, Data Minimization
  • Compartmentation: Least Privilege, Forward Secrecy, Airgap, Clean APIs
  • Fault Tolerance:  Resilience, Revocability, Defense in Depth
  • Proportionality:  Usability, Risk Acceptance, Fighting to the Goal

The Principles

In Practice

The Information Security Practice Principles (ISPP)

  • Comprehensivity:   Am I covering all of my bases?
  • Opportunity:   Am I taking advantage of my environment?
  • Rigor:  What is correct behavior, and how am I ensuring it?
  • Minimization:  Can this be a smaller target?
  • Compartmentation: Is this made of distinct part with limited interactions?
  • Fault Tolerance:  What happens if this fails?
  • Proportionality:  Is this worth it?

Q & A

Many Thanks!

  • To my ISPP teammates, Craig Jackson and Scott Russel for helping me build the Principles.
     
  • To CACR, especially our director Von Welch, for the freedom to work on this, and to come teach it here.
     
  • To O'Reilly, for having me.
     
  • To countless people who gave feedback along the way.

Don't stop now!

Finding Your Way In The Dark

By Susan Sons

Finding Your Way In The Dark

Presented 10 May 2017 at O'Reilly OSCON, "Finding Your Way In the Dark: Security From First Principles" is a lesson in stepping back from checklists and vague requirements to do real information security from first principles, using IU-CACR's Information Security Practice Principles.

  • 401
Loading comments...

More from Susan Sons