 All right, let's get started. Hello, everyone. Happy Thursday. Days are starting to work together, so. Okay, so a couple logistical things before we get started. Ferris and I set up our office hours. My office hours are going to be 1130 to 1230 on Wednesdays, which is not what it says here, so I will clearly need to change that. Okay, and Ferris will have his office hours on Monday and Friday, and I don't have the times in here yet, but I will put those in, so we will be available Monday, Wednesday, Friday if you need help, want to come talk to us. I assume that since there's no assignment yet, none of you actually want to talk to us. In general, I'll send out the video at some point. There's a cool video that adds you created about not being afraid of going to your professor's office hours because it's a great way to get us to know you. If you look around this room, there is a lot of you. I'll probably should have said from the beginning, I will probably not remember all of your names. I'm much better at remembering faces, but names I'm really bad at. If you sit in the same area, I'll more likely to remember you over time. But besides that, if you want something in the future like a letter recommendation or something, it's much better if you go to office hours, talk to me about whatever. That way, I have a name to put to a face and so, oh, I've seen this person before, not just as a body sitting in my class answering questions during things. Other cool things, so I set up a Piazza, so if you would all go and think you can register for this, I'm actually, I'm still learning Piazza, but I have heard it's more trustworthy than Google Group, so I think that'll be important for us. I'll post all course announcements through here. I will also, I will also be having, we'll have all of our discussions on here, so when you have questions that you need answers to, you can email us directly. What we will likely do is, if it's something, if it's obviously not something that's personal and private, we will take that, create a Piazza post out of it, and then answer that question so that everyone can see the answers. You all don't see this because you're about a hundred and thirty people in classes roughly, but oftentimes what happens is we keep getting the same questions from different people and then answering them individually is silly. We want to share that knowledge, answer questions to everyone. So, I don't know, I guess general rules of civility on this apply, be nice, answer questions from your fellow students. This is not a competition. It's not great on a curve. You can all get A's, so help each other out. And we'll have a good time this semester. Any questions on that? Wait, how do I sign up for Piazza? Wait, there's a link on the web page. You'll be able to see it. All right, let's go back to where we were. All right, so we started talking about a house. Somebody logged us through, revive our memories of what happened on Tuesday. What types of things were we talking about with the house in terms of threats? What threats did we come up with? Did we think those were realistic or not? What kind of policies did we talk about to defend those threats and what kind of mechanisms did we use? Brainstorm some threats. It's like unauthorized people coming in, natural disasters, neighbors, neighborhood. Neighbors as a threat, man, that's harsh. Remember being that harsh. Yes, no, no, no, it was, I'm deceiving. Yeah, the idea was really threats in terms of your, you shouldn't be worried about, in terms of a house, people across the world. You should be worried about the people kind of around you physically because those are the people who can have physical access to what you're trying to protect. Anything else? Yes. Whenever you're supposed to replace fire extinguishers. Yeah, read the instruction manual. Figure out when to replace it. So that's a great example. So the threat, I think we can all agree that fire is definitely a threat. Do you guys have to take fire training? From ASU, just staff again? Okay, yeah, so if you're employed, I guess maybe employed during a lab or something. So we take fire. So as part of, if you think about ASU, ASU, they're worried about the threat of fire. What are they also worried about in that context? In terms of fire, let's say. People dying, yeah, for sure. What was that? Who said it? Yes, getting sued, exactly. So these are all things they're worried about. So if a fire happens and then somebody says, what is your policy in training your staff to deal with the fire? And they say, oh, we don't have any policy. Then they could get legally liable for whatever happens. So that's why as part of being employed by ASU, I have to take fire and safety training every year. So I did it when I started. Like literally you do that in orientation and then you do it once every year of re-upping so that you can. So that way they know their employees can respond to a fire appropriately if it happens. And then that way they can't be sued if something bad happens because they can say, look, we train all of our employees every year on this. So we have proper policies and mechanisms in place. So the policy would be everyone needs to take fire. Every ASU employee needs to take fire training every year. A mechanism to enforce that is a little thing in my ASU, which you probably not seen, which bugs you if you're out of date on your thing. And then you start getting emails from your boss saying you really need to do your fire training. So those are all the mechanisms that they put in place. Awesome. Did anybody have any inspiration, threat based inspiration over the last two days? I want to share with us a cool threat that they've come up with. Nobody woke up in the middle of the night. I've been thinking about that class for a day now. Yeah, we actually didn't talk about that breaking into what we talked about unauthorized access. We actually focused a lot on the door. And I think somebody also mentioned windows and in the sense of putting bars on the windows. But one of the things, and especially this is, I don't know, has anyone ever got locked out of their house before? House or apartment? What do you start doing? Yeah, you start checking. You start thinking like an attacker and you start thinking, how can I break into this apartment or house? So you start to evaluate everything in a different light. You start to think, huh, how easy is it to take these screens off of these windows? Which windows are unlocked that I can just move them over? If their first floor windows are done, then you start thinking about the bathroom window on the second floor that may be by a tree or a fence that you can climb up. Has nobody ever done this? Okay. And this goes into when we talked about the house itself, right? So what's important is understanding that physical context in this case. Are there trees that are right by our windows so that somebody can climb up easily to the second story and get in those windows? So do our mechanisms and policies have to deal with locking every single window in the house or just kind of that first floor window? We'd look at the house and we'd say, where are the drainage pipes? Or somebody could maybe climb up those pipes? Maybe think of an interesting possible threat, like maybe creepy people come in spying. So we didn't talk about privacy at all. Do most people have curtains on their windows or some kind of lines or something? Is that strictly necessary in terms of securing unauthorized people from entering your house? It's a good deterrent. Why is it a good deterrent? Because they don't know what's in there, right? So if they don't know what's in there, maybe why bother breaking into your place when they can see that there's actual things to steal in somebody else's place. But we do that in mostly in terms of privacy, right? Because we want to make sure that... So that's another kind of threat that we didn't really talk about is we don't want people to be able to see into our house because that's kind of our private space. We didn't really talk about walls that much unless you have like a brick house or something. A lot of them are made of dry wall and wood so they could just go through the walls. Yeah, so that would be depending on our threat model, right? If we are storing something incredibly valuable, if I told you I have a million dollars in my house, which I do not. But if I did, I may be worried about people ramming a car or something just into the side of my house to get in. Like why bother with doors or windows at that point? A car is worth way less than a million dollars, usually depending on what car you use, right? And so it might be worth it to just total the car to get access to the house to steal the money and then leave. So you said like getting locked out. The first thing I thought about would be like calling one of them mate, but what if somebody else calls you and pretends to be you? Yeah, or think about a locksmith. Anybody ever call a locksmith because they're locked out? What do they do? They break into your house. Yeah, they break into your house, right? They literally come to your house with all the tools necessary and the knowledge of how to break into almost I would say most locks on houses. And there I believe they're supposed to check your ID to see if you live there. I don't know how much that actually happens and I actually don't know the legal requirements in every state. But yeah, so similar to that thing, right? Well somebody just calls a locksmith and says, Hey, I'm locked out of my house. I really need to get in there. Like, I don't know, you can say something like my dogs in there and they haven't been fed and they have no water like, and so the locksmith comes and you're creating this sense of urgency that they maybe don't check your ID or I don't know, you kind of trick them somehow and then they let you into the house. Yeah, so these are all things definitely that we should be thinking about. So cool. So what are our goals for security policies? So we've been talking, we talked through an example. We talked through an example of a lot of different threats. We talked about policies and mechanisms. So what is our goal with our security policies? Say it louder. They're simple to follow. Simple to follow, why should they be simple to follow? Right, exactly, because a policy by itself does nothing, right? Essentially it's a set of written rules. But rules have to be enforced and people have to actually follow the rules for them to be, and so that actually goes to what we were talking about earlier about thinking about the human factor, right? Thinking about who's implementing these rules, right? The locksmith example is a pretty good example because, so if the policy says that all locksmiths should check everybody's driver's license before they open up a house, would you expect all locksmiths to be able to properly validate people's identification? It would probably be maybe easier to fool a locksmith with a fake ID than a bouncer at a nightclub who deals with that literally all the time, right? So thinking about who's actually doing this, how easy is it for them to follow that policy? If the policy is crazy complicated, then how would you, why would you expect people to actually follow it? That's good, what are their goals? So like you wouldn't have three locks with the same key on the same door? Nice, interesting. So you wouldn't, you may not want, although, so let's say you may not want three locks on the same door, but a lot of doors actually do have multiple locks. Why is that? But they aren't the same lock, are they? They're not the same lock in what sense? Yeah. One's like a deadbolt, the other one's just a guy. So what's the difference? It's harder to break, like to just like ram through a deadbolt. Yeah, so there may be multiple kinds of locks, right? There could be, I'd say most, when you think of door locks, probably have at least two, one that's like the normal lock and one that's a deadbolt that you slide in, and again, I'm not a construction person, but the deadbolt goes in the wood, so it should be a lot harder to break down that door if it's deadbolted in. It's not impossible, I think it's still be done, but it increases the bar. What else? Anybody see any other kind of locks? Why? Okay, so a combination lock, yeah, maybe on your bike, which may be as a four-digit lock, a four-digit combo so you don't have to carry around the key all the time, so you don't have to lose your key and get locked out. Yeah? There's locks, they can only be locked from the inside. Yeah, so maybe you stay in a hotel. You stay in a hotel, there's at least three kinds of locks usually. There's the normal lock, there's the deadbolt, and then there's the chain that can only be open from the inside, right? So there, so why does that kind of lock exist? Housekeeping or the hotel, right, in some sense, because you're staying in that room, your security policy is you probably don't want anyone to come in. From the hotel's perspective, I mean, they can literally just make a key card for your room to open that key card door, right, oftentimes. So that's why they provide an additional mechanism for you of this chain lock that can suppose, it's still, of course, not completely secure because somebody could very easily still open it, but it gives you an additional level of protection and assurance, yeah. But on a similar vein, there are locks that have master keys. Like here, ASU, right? Like I have keys, maybe I shouldn't show you because technically you could take a picture of this and make these keys, but I actually don't remember which is which, so that's good. One of these is a key to my office and the other one's a key to our lab's server room. And so I have these keys. They work supposedly only in those doors, but when you think about how does, if maintenance needs to go into those rooms, do they have to find me to open that key? No, they have either their own copy of the key or all the keys or all the locks are made such that there's a master key that kind of, or another term is skeleton key that opens kind of all those doors in an organization. Yeah, so it depends on the security goals, yeah. Temper evident locks. What's that? Like if someone tries to break the lock, they might be able to, but it becomes rather evident that that was what happened. Yeah, so one of the problems, I mean, one problem with a lot of locks is, well, how do you know if somebody broke in? I mean, it depends on the lock, but, you know, you may not even know that somebody was in because they either made a fake key or they lock picked your door and just opened it and got in. So a temper evident lock would say, okay, I'm fine with somebody getting in, but I want to know that they actually got in. So this kind of goes through the logging and those kind of things. So we got off on a bit of a tangent, so let's go back to kind of the goals of security policies. To prevent victims, we'll go a little bit more abstract. So thinking about security policies in general. So from thinking of that, so what was the point of creating a specific policy? To prevent specifically what happened? A threat, yeah, exactly. To prevent a specific threat. So usually, I mean, this is why these are so interrelated, right? You think about the threats to your system. You think about what threats you want to defend against, and then you create policies that address those specific threats. Any other goals? Yeah. Leave some room for kind of growth and change in those policies so you don't have something that relies on this policy and that relies on this policy that would require you to rewrite the entire security policy. Right, so you definitely, and this is something talking to people in the industry that I found over and over again, is they tell me that... One thing I wanted to do was to get a company's old security policies so that we could all read it and understand it and critique it. And they said, yeah, that'd be super cool. But the problem is, like, our current policy is basically an evolution of our old policy. Even though it's changed a lot, it's still kind of evolved from that original thing, so we're not really comfortable sharing that with you. And so when we think about it, really... So there's kind of three types of things that we think about in terms of security policy goals, which is all the things that we've talked about. We want to prevent things from happening in the sense that we want to prevent threats. This is what we talked about. So we're worried about fire. The policy is we need to have a working fire extinguisher in every room and in order to prevent a fire. So if a fire happens, we can try to put it out before it occurs. Another thing that we talked about, and this is with the tamper oven and locks, is detection. So we want to know if something happens. So this would be in the house example, we talked about installing a security system through some company that has motion sensors and will alert somebody when somebody unauthorizes in the house. That doesn't by itself prevent anybody from breaking into our house. It may... Let's say it could deter people from breaking into the house. If you have the sign that says this house is secured by this security company, which actually leads to an effect of people just putting up those signs but not actually having the security system in place. But still, these are useful. So why are they useful? Well, for computers, it's very... If someone were to access it, you need to be able to show that someone accessed your data. Right, exactly. And this extends to pretty much every type of scenario, right? So you think of... If you're a company, you want to try to prevent people from attacking you, breaking into your system, stealing your data. I think we'd agree with that. But at the same time, you need to be realistic and understand that nothing is 100% secure. There's always going to be something that possibly happens. I mean, there's... You can spend as much money as you want on security. There's been a lot of examples of this, I would say. I mean, JPMorgan Chase is a huge banking system. Banks take security incredibly seriously. And yet, in... I think it was 2014, they had like a hundred and... Well, I don't remember the exact number of credit cards, but they had a hacker in their network for six months who stole a bunch of user information and credit card accounts and all this stuff. And they didn't even know that that person or group was in there for six months. There was the Equifax hack. Yes, and the Equifax hack was also another very good one, right? So it's... And so, I don't know about that one. Actually, I think Equifax might have been... A lot of the ways that these are detected is because people start looking at underground forums, start seeing what credit cards are being sold on there. They report that to, like, AmEx, Visa, and Mastercard, and then they run analysis to see what do all these numbers have in common. Oh, they were all used by this one realtor, which means their credit cards must have been hacked. And that's kind of how they found out. Target was another one that was like this, where Target was hacked actually through their HVAC system, the, like, AC system, and then they got a bunch of their credit cards. So, yeah, you think about, as a security company, that's very embarrassing, or as an organization, because your dad is out there, you don't even know about it, you haven't detected anything. So you much rather detect something as it happens so you can respond to it and address it there. I think there was a hand back there. Something that? No. I said everything you wanted to say. Okay, cool. Awesome. So there's a third goal here that we really want to do with security policies, and that's recovery. So why is recovery important? Right, so exactly. So we want to be able to, so there's a couple different things in here, right? One thing is we need to be able to get our systems back into their original state. Right? So if we find out that some developer's laptop is compromised, we want to be able to revert our systems back to a state where they're not compromised, and then ideally figure out how it happened, how they got in, so you can prevent it in the future. So you can actually think of these in kind of a circular fashion, where you have these security goals. You want to prevent as much as you can. Why do you want to prevent as much as you can? Because no one's really going to accept what we found it really quick, so it doesn't matter. Yeah, if you have perfect detection, if you're still attacking you all the time and stealing all your user data or compromising the security, yeah, your data is still out there, right? You're still under attack, even though your detection is perfect. So you want to prevent as many things as you can. One thing that I will say that companies can get into trouble with is trying to say, oh, look at how many attacks per day we prevent. What they'll do is they'll cast a very wide net. So we haven't really talked about it yet, but one of the major ways when I talked about going around and jiggling front doors to see if doors are unlocked, one of the main ways to do that is port scanning on the internet. So port scanning is basically many different ways. In TCP it's basically sending a SIN packet to every single port on an IP address to see which ports you get a SIN act back, which means that there's some application listening on that port. So you can say, oh, there's port 80 listening, which is a web server, there's port 443 and there's an SSH server and maybe there's a Samba server that's running an old version that you can break into. But what a lot of companies do is that they can consider that an attack and then say we detect port scans and then we block them. So we've prevented that attack. But really a port scan itself is not really an attack because nothing has happened yet. It's really part of the reconnaissance phase. So it's just a... People can get hung up on raw numbers of prevention without actually thinking through what are the things that they should be really worried about that they're not preventing. Like insider attacks, which we talked about. If you're not preventing those type of things, then you have a huge attack service that you have left over. So these really feed into each other. So you want to prevent as many things as you can and you need to be realistic and say, okay, we cannot prevent everything. So we need to make sure we have mechanisms and policies and mechanisms in place so that we can detect when something happened and then we can respond to that and try to recover. And the idea would be you learn from that incident and you put new policies, new mechanisms in place in order to prevent what happened. So is this kind of like organized chronologically like before the attack when it happens you want to attack it after? Yes, exactly. So thinking about that in terms of a single attack exactly, so you can think about like I don't know, or you can think about it in terms of like a big stream of events coming in and kind of a funnel so you'll have a bunch of people, a bunch of people organizations attacking you you will prevent hopefully a large chunk of that. Some of them will get through and things will happen. So you need to be able to detect as many of that as possible so that you can go back put policies and mechanisms in place so that you prevent those in the future. And so what's the I mean what's we talked about it a little bit but in that kind of idea what's the problem with having poor detection? You never go to the recovery stage so you never learn to prevent those attacks so if you're not detecting things you're not going to put procedures and mechanisms in place in order to prevent those in the future. So this is why these are all super important and the other thing is so it's very easy when we think about threats and security policies and security mechanisms to focus on prevention and detection because we're just thinking about okay somebody breaks in what happens but it's just as important to think about that third component of how do we recover? If you don't have backups how could you ever recover from an attacker who deletes all your data? You will just be hoping and wishing that something works. So so these are why these three areas are really all incredibly important and they need to be thought about kind of holistically. Right? So that that way and you build this in with your policies one of your recovery policies would be after an incident happens the analyst that managed that incident will write up an incident report about what happened and make suggestions about how to change the policies what new mechanisms to put into place in order to prevent and maybe detect this in the future and then you would add that into your cycle so you build that in to your policies kind of from the start. Any questions? Policy experts? So how do we define policies? We've kind of been talking about them very abstract, well not fairly abstractly. How do we define them? Writing a written natural language policy written in English. This is good, bad prose concepts. Be ambiguous sometimes. English can be ambiguous? Surely you're joking. So English can be very ambiguous. It may not specify exactly what you want to do. It may not be clear. What are some other issues? Just because someone can read it and go like alright I'm supposed to change my password every 180 days they may not know well why do I have to do that? Intent, so yeah so in English I guess this is kind of a common problem with security policies and especially as let's say like a CISO like a chief information security officer at the top of the company specifies policies and then they go down four or five layers where they're actually implemented by real people that knowledge and intuition about why should I be doing this maybe doesn't translate all the way down. That could definitely be a problem. That's a good point. Spoken almost as if somebody was a low level employee at some point and following policies they don't understand. Something's written in a very simple language it might not cover a more technical problem. So then you have the problem of English in the sense that okay it's ambiguous but maybe simple in the sense that it doesn't specify what should happen in every scenario maybe it's leaving out some corner cases that come up and because the intent isn't really conveyed either the person who's following this policy doesn't know what to do. Like a weird I guess what would that be? A weird example yeah I don't know I mean this happens all the time I was trying to come up with an example based on the change your password every 180 days like what happens if oh yeah okay so the change the password like 180 days if that's the policy but you keep using the same password right that would be bad or what if you just keep adding like one to the end of your password every time you change it also bad but still following the policies anything else. We've been talking about how English and natural language is bad but is there any pros? Yeah it's understandable? Understandable? Yeah so it can be right so it can definitely go the other way and be if you write your policies in too much of a like legal ease where it's very formally written it may not be understandable but in general you can write a security policy that is understandable by people which is good because people are the ones implementing your policy. Any other benefits? More easily changeable? Yeah so ease of change right so you want to change the policy you open up the policy in a word doc you add some new sentence new clause new paragraph and then you communicate that out to everyone that the policy has now changed you hopefully explain your reasonings why about how this is going to make everybody more secure but changing that really doesn't change things too much another way is you can use math so you could formally specify your policy in an incredibly formal language so that and what would be one of the benefits here? What was that? Proofs? Yeah you could maybe prove something about your policy you can say that the system will never get into state XYZ if we follow this policy somebody over here? Precise! Yes math is very precise. Has anyone got their answer wrong on a math assignment? Did you did something wrong? Math is just like a compiler right? It doesn't care what you intended to mean if you forget a semi-colon your program doesn't compile and it's the same as you writing a garbage program anyway that's not going to try to do its best effort similarly in math math is going to formally specify exactly what the policy should be anything else? I think there were some hands in the back I was going to say that there is no room for ambiguity yeah I don't know that's good so yeah there's no room for ambiguity right because everything is formally specified I was going to say like a con it's not as understandable as like a natural language again why not? Stack of like statistics they're like oh all these numbers what am I supposed to do with this? Yeah so does everyone agree that would be not as easily understandable as a not mathematically inclined person I would definitely agree with that you have to figure out all the definitions figure out how they're defining things figure out what notation they're using which could be a real bear lack of ambiguity could also be a con as well because if you have a global policy defined in this way but your suborganizations have different requirements and needs now they also have to go in and redefine the global policy within that framework right so the lack of ambiguity could actually be a double edged sword it should be clear in every situation what the policy means and how you should operate on the other hand I mean I'd say defining all of those corner cases can be a real bear and in with natural language you can trust that the human on the other end can kind of do their best or you can say or in this situation they should do whatever their best interests are and then this gets more complicated if you think exactly of like a global let's say a global conglomerate like a big company that has a lot of subdivisions in different countries which is what a lot of things do so they'll have like the US branch and the Europe branch and all these different branches of the company that are each in charge of running their own thing and now you have to make sure that all of that is using the same like ontology and they're all using the same languages when they're defining these formal definitions of the policy any other comments you don't have to translate like you said different places different languages well that's interesting that would be a pro then in some sense where you don't have to translate it to a different language I'd say yeah that's cool it's like a universal language in some sense as long as they can understand the math and then follow along in their local language that's cool you can also go kind of an in-between type of thing you can use a specific policy language so you can write the policy in sorry this mic is too I don't know what to do about it so you can write your policy in a kind of in-between so like a machine readable language one of the examples of this is xacml which is access control rules defined in an xml schema so what would be some of the benefits there what was that standard so maybe there's other applications if it's a standard language people can write things that interpret it understand it display it to you adding to it can be easier there can be tools that help you there can be tools that check the correctness changes that you made it's not necessarily math it's not English it's a weird thing that has its own learning c or c++ or json or any of these other kind of like data format languages you need to understand the semantics of that language and what things mean you still have to translate it down to your user base if somebody is going to implement these policies and if it's human at some point it needs to be translated down if it's easily machine readable it may be easy to translate down so you can have a mapping to English language but then that may not be as nice to read exactly yeah yeah that's the idea I'm a little bit skeptical on how much it actually does I think in certain domains it definitely does help and it's kind of the de facto standard in those domains if you think about a general security policy yeah it is very tricky because you do want those you would like to be able to say things like with this security policy no unauthorized user can access the house and then a with a policy language or with math you may be able to prove that without this kind of benefit of a formal reasoning system it has the same problem mathematics where you have to define all your fringe cases yes definitely so you need to define or if let's say all the cases aren't defined you need to understand the semantics of the policy language so if you have a way to allow certain users to say ok these people can maybe access the house there's probably a default value that doesn't match any of those users which would deny them and so you need to understand that semantics otherwise your policy may not even accurately capture what you mean which is the same problem we have in programming anybody ever write code that doesn't do what they wanted it to do it happens all the time it happens to me all the time you're sitting there staring at the code being like why doesn't it work in the way it's supposed to work it may not you may not ever detect that that it's doing something that you didn't know because it's doing exactly what the policy language says it should be doing cool good discussion so how could you how could you test how you understand the correctness of a security policy I'm like I drill or have someone come up and hit in the back yeah so that's a really good example I mean so yeah that's a good idea so thinking about this in terms of taking the ideas from software testing right how do you test the correctness of a program one way is coming up with test cases essentially running through the policy with your test cases to see if the outcome based on the policy is what it actually is supposed to be you can justify it if you can say that again if you can justify it I mean so if I can go to someone in my organization and say alright this is why we're having to change whatever you made today that might make sense but if I say alright this is why we're having you turn around three times and put on a blindfold before you enter the building that might not work right so okay you could I'd say put that under almost like user acceptance testing in some way right like go to the actual employees about how this policy would work to see if they actually do what the policy says they should do right in that case after a certain point they're not going to bother with blindfolds going into the building because that's silly it's kind of important to check it against your metrics you know prevention detection recovery and make sure it actually does one of those and then go back up to what is this policy supposed to be doing right why do we have this policy in the first place right does this policy actually address what we want it to address and then does it address these three areas that we talked about exactly prevention detection recovery and what was it supposed to address right that's another important thing so yeah I like thinking about that in terms of metrics that's good yeah good yeah so yeah that would be and you may borrow one of those to start right and then use that going forward as the start of your policy so yeah and that's going with the password changing idea if you say well if you were coming up with that on your own and you said we're going to change passwords every week then you go and start looking at other policies and you realize at some point well people do at least I don't know it's like three months is the normal timeframe of changing passwords and then you probably find out that NIST has not recommended changing passwords anymore it's much more important to have enforced difficult to guess passwords so that even the password changing advice is being changed now but but yeah but checking with kind of the industry about the same time should you trust if you do this and everyone says yeah don't worry about that why not cause everyone could be wrong and they're all every kind of organization has different business requirements and different kind of scenarios that they're worried about you may be terrified about some threat that nobody else is terrified about and so if your policy is to address that unique threat to you then even if other people's policies don't do that that doesn't mean that you're necessarily wrong yeah we can get someone to audit our policy hire someone they would probably go through similar things and essentially you can think of it as red teaming or almost penetration testing the policy itself so thinking through about scenarios okay what happens if this happens what does the policy say should happen so it's actually even assuming that it's kind of a cool way of assume the policy is implemented 100% correctly and everybody does exactly what they're supposed to do is there still a way for us to break it and to break your security requirements yeah post disaster review of the policy as well so yeah as part of so rather than assuming at the start that your policy is going to be correct and perfect right you would build in as I guess I guess this would be a security policy policy as after you have an event you go back and re-evaluate your security policy in the context of that event and see what you needed to update and change based on that so that you'd know for time your policy is evolving to combat the threats that you're actually seeing and it doesn't even have to be your company either yeah it could be and this is actually what I've seen more and more talking to companies is what's really interesting is companies will be like basically you think about like background radiation there's always some background radiation on the internet of everybody's kind of always under attack by people who are just running automated tools against everyone as you get kind of more important like the big you know google microsoft and facebook these people are always under constant attack by really dedicated attackers but each actual niche like of industry will have their own attackers that just target them and nobody else it's hard for me to come up with an example without giving the companies away that I'm talking about because I don't think they want me to do that necessarily but they will tell you if you talk to them that they face like not just general attackers but attackers that target their specific industry and know their industry really well so it's actually behooves them to talk with their competitors about what attacks what threats are you seeing so that they can proactively update their own policies and mechanisms to combat those threats just super interesting cool any other ideas correctness policies think thinking helps so one thing to think about is assumptions so this is actually something we need to talk about so we have to make some kind of assumptions right so what are some assumptions that we've talked about now let's say not with the house but in the examples we've just talked about yeah then we assume that everyone will follow the policy correctly right so when we're thinking about the correctness of a security policy we need to revisit those assumptions to say are they realistic do they make sense right if we're assuming that I still don't really understand the blindfold example but let's say we don't want people to know where the business is so we blindfold all the employees when we bring them to work or something you know that maybe will not be followed or we forget that everyone has GPS on their phone they all know where they are yeah that they have the resources to dedicate towards a formal security policy ah so yeah even assuming that we can actually create a security policy yeah or that I mean one of the other assumptions is that we can afford all of the mechanisms that our security policy relies on if that's not the case so if we assume we have an intrusion detection system we have this off the firewall thing we have monitoring running on all the hosts in our network and it turns out we only get one of those things but the policy remains the same now that policy is not effective because it doesn't have the mechanisms in order to do whatever it needs to do what what assumptions do we make in our house example location we talked about the location normal person we talked about what was that normal person yeah that it's like a normal person living there so if somebody rich and famous bought that house now that current security policy is completely useless right because our assumptions have fundamentally changed we assume the definition of a house yeah maybe I don't know maybe instead of a house we built like a missile bunker or something that's not the right term underground bunker? yeah that's the word I was looking for like an underground bunker or something right that's like would have completely different security requirements than a house and you know this is one of the important things of checking up or you think about a startup so you think about a startup company right they initially start building product A and at a certain point pivot into product B like let's say twitter twitter what were they first doing I think it was a blogging platform or something and then somebody started creating this like small message sharing thing internally and then they changed the entire company to start doing that if I recall am I making things up does anybody remember this okay you don't know so it might be the truth I feel like I heard about that yeah I think I believe that's an example so they completely shifted the company but if they still had all their security policies in place about this old product then it clearly makes zero sense right because their assumptions have changed so we like we said and we should revisit our assumptions to make sure they make sense or update the policy to reflect the fact that well maybe we don't think that everyone will follow this policy so can we put mechanisms in place to ensure that they are following the policy right and you know some of these things we kind of assume the well I guess this is a little circular argument but we one of the assumptions would be that if we buy a lock and a key that opens that lock this is the only key that can open that lock it used to be I don't think it works anymore you know like the U shaped bike locks yeah so it has a bar like this a U like this and you lock it around lock it it used to be so they had these I think at the time they said they had these completely unhackable keys because the key instead of being like a flat 2D thing was a circle and they put it into the end of the lock to open it up it turns out you could take a big pen and the end of a big pen and just jam it into the lock and the lock would pop off right so some of the assumptions that you're making are that your mechanisms actually implement the policy right or that the mechanisms actually work correctly and that there's no vulnerabilities in the mechanisms if there are then you have to start you know or if you think there might are planning for that and start considering that as part of your security policies those are why these things can be very complicated also trust how does trust factor into this you trust the security policies will hold up to accurately reflect the same of the building or mechanism yeah so you trust there's a lot of trust right you're trusting the mechanisms you're trusting the policy itself you're trusting the people who created the policy if you're CISO you don't trust your CISO to create the security policy they could just not put in a very important security policy component and then later use that themselves in order to steal money or do whatever they want so yeah part of analyzing and thinking about the correctness of a security policy is making this explicit okay the policy would be correct under these assumptions and if we trust you know these people or these entities or these mechanisms right and so that's really important when you're thinking about the correctness of a security policy who do you trust should you actually trust those people are there now is part of the policy or mechanisms to audit those people that you should be trusting right to make sure that they were trustworthy we talked we talked about email delegation right on Tuesday like having somebody else so as part of maybe letting somebody email on your behalf maybe a policy you put in place to reduce the trust necessary in that person is just review all the emails they send once a week or have somebody else do that right so you have kind of a somebody checking that other person just to make sure nothing terrible happens alright so mechanisms so what kind of mechanism so we've been talking about policies a lot so policies again at a high level are how things should work right or how what things people should be doing in order to ensure the security of a system so what about mechanisms so what kind of mechanisms if we're thinking generally about mechanisms how should we be thinking about that yeah so we would think so mechanisms we'd think about basically I mean their goal is to support the policy right because without the mechanisms a policy is just a piece of paper right so the mechanisms and they can be kind of technical mechanisms so what are some mechanisms that we've talked about in our examples of policies and mechanisms yeah firewalls so what's a firewall filter yeah so a firewall at a very basic level just filters you could say puts rules into place about who can access what parts of your network usually externally is how that's done although a lot of your current computers have basically built in firewalls so that I can't just make a request directly to one of the ports on your computer what else what was that locks yeah locks right lock is a mechanism what else laptop as a fingerprint scanner don't cut off my finger I would probably just give you the password if we're in that situation yeah so fingerprint scanners face ID so facial ID face ID on your phone or I know some laptops have the facial recognition but again it goes back to trust how much do you trust those systems as much as we trust the manufacturer what was that how as much as you trust whoever manufacturer that's definitely part of it would you let's say would you put a million dollars of your own money behind a facial recognition scanner why not because you don't trust it why don't you trust it yeah it can be manipulated the very early ones all it took was a picture of a person and then they said well we'll do a liveness check so rather than just recognize the face itself we'll try to see is that an actual person there so one of the things they look at are the eyes moving so then what do the attackers do yeah so you create a picture of the person with the little eye cutouts and then you put like a thing back there and you move the eyes and then it would let them in and then I think I don't know if the face ID stuff does it but allegedly it has a I think it has like is doing like 3D reconstruction kind of like the connect can do using sonar to create 3D images so then if you want to break that you just sculpt somebody's face until it breaks it until it can break it and this is actually part of you know if you're relying so this is exactly what we just talked about right if you're relying on that mechanism of a facial ID like a face scanner you better understand all the ways that can break and you better be able to understand your trust in that system so why do you actually trust that system if it has an important role to play what are some other mechanisms oh no I was just going to talk about the last thing sometimes it can be like a toss up right because like say you protect a million dollars with a password where anyone can be like okay I can get the password but with a face ID it kind of has something more targeted like specifically for you right so then you need to think about your threats right so if I just have let's say my laptop which doesn't really have anything interesting on it I mean I don't know it has research code on there it doesn't have 100 grades on there you need a password for that let's do something else maybe yeah we're like a phone right your phone is super important but I'm not super worried about a nation state level person crafting a face of my face to get into my phone I mean for me that threat is a little bit outside of the realm of what I'm going to worry about and it's super useful to just be able to look at your phone and have it unlock so thinking about the usability versus the security features and it's way better than not having any passcode at all on your phone right so that's the other key feature yeah so what I would say is so that is a little bit of a tricky scenario because usually it's Brian Krebs who's a famous security logger used to be a journalist and now went kind of on his own independent he's actually one who finds a lot of these things because he has a lot of connections so it's not actually the company themselves but I do know that some of them do as part of their security policy we will have people who go on underground forums to see what things are being sold and try to correlate that with our customers to see if it's our customers data and information that are out there so they may have that as part of their policy and their mechanism would be basically hiring a person to do that yeah configuring your environment set up things that kind of block parts of the security policy like if I don't want someone to be plugging in a USB drive into any of my systems I can go into the bios and disable those ports on this machine I'm saying in general, right? one thing that people I think used to do if you don't want people to plug in USB drive, put a poxy or something on the USB port so you cannot plug in any USB devices that looks disgusting though yes it does but that is yeah, so those are types of things that you can do to try to mechanisms in the place there's also things about what we talked about are procedural mechanisms right, so this lures the line a little bit in terms of policies and mechanisms at some point, so let's see, what's a good example so if you have a company do companies need to issue checks to people? to do what? in what circumstances? like a check, like a money we don't have that set up yet so what's a scenario where a company needs to give a check to somebody contractor so you hire somebody to do something for you you need to pay them, what else? buying, so somebody buys something for the company, then you get reimbursed for it payroll big thing, right? people expect to get paid every whatever, twice a week or monthly so all these things need to happen the question is how does it happen, when does it happen as me as an employee, can I just say yeah, I spent 10 grand for the company, I should be reimbursed for that can the CEO just say yes, I need 50 grand transferred to this account right away because we owe this contractor money so the question is what procedural mechanisms do you have in place to try to prevent, maybe fraud in this case, so or, I guess who's signing the checkbook, right? if it's one person can they just start issuing checks to themselves and nobody ever knows about it until the company's out of money would a least privileged policy also work on that as well so you don't grant everyone admin and those that do don't come in with admin but have to elevate themselves a similar type of idea usually works here where you could have one person control what checks are one person who actually has the power to issue checks, but maybe another person who actually has the authority to say what checks to issue so you kind of split that role up so it's not that person has no discretion on what checks to actually give out it's another person that has to do it you can even have a third person who has to verify and say so the person will only issue a check of two people tell them yes, do this thing so that would be kind of a procedural mechanism to put into place of okay, these things have to happen or another way to think about this is does everyone know how to launch a nuke I got a lot of attention get the big red button is it just a big red button that one person pushes no double authentication so they verify everything and then if I remember correctly maybe it's probably just movies but the idea is you have two keys two separate keys that two are on completely opposite sides so no one person can turn those keys at once and those keys need to be turned at exactly the same time in order to start everything off so it's a mechanism the mechanism is you have two different keys and a place physically that one person cannot do it so that the procedure is two people actually have to do it and turn those at the same time so that one person can't just do this on their own that's a similar type of thing but you didn't think we were going to talk about that today so how do we know if our security mechanisms are effective is it important for us yes why because we're using them to combat threats as part of our policy so what would be an ineffective security mechanism if you take the fire training then you can forget it as soon as there's a fire that depends on what threat you're talking about yeah okay I probably shouldn't be, I'm not going to discuss ASU's fire policy except that it's awesome it does it and everyone does the training so we'll be other examples of ineffective security mechanisms let's go the example of like blind folding people if you know that people aren't going to follow your mechanism or like making them, I don't know so maybe one problem would be coupling super secured in random policies with important policies so if you said when you leave the office you have to jump on one leg and lock the door so the important part is locking the doors from a security perspective but if people think the other thing's stupid why would they remember to do the second part because to them, which is all seems stupid yeah you know those locks that they have like on gates for like backyards like if you had one of those in replaceable yeah, that you just lift up and go in or a lot of apartment complexes have something about like only residents are able to use the pool area and so you need a key to get in but it's one of those locks that you can just lift from the other side but again, if you think about what the threat that they're trying to prevent it may not necessarily be unauthorized people in the pool, it may be getting sued because an unauthorized person is hurt in the pool area because everyone who has a lease with that complex signs something that releases the apartment complex from liability if something happens in the pool and so they say, well hey we have this gate in place that prevents unauthorized people from coming in here so by you being unauthorized coming to our pool you deliberately circumvented our mechanism and so whatever happened to you is on you, it's not on us yeah like apartment complexes where you just drive up to and they just open uh... silly security theater maybe it depends on what the thing is the ones I've seen you may need a clicker to get in so you have some authorization mechanisms or some kind of control there but again, if you really want to get in you wouldn't depend on that mechanism for your life because people could just follow you in I mean it's the same thing that happens in companies if anyone have a working in a company with a badge so what do you have to do when you go into work with your badge you have to swipe it in to get in has anyone ever gone to work without their badge? yep how'd you get in? you may check in at security, what about not doing that? don't get in, come on now so you follow somebody else you may be even fake like you're tapping your badge in and you just walk right in or actually I had this horrible circumstance happen to me I think it was my first internship at Microsoft where it was the end of my internship so I'd given my badge to my boss but I had left the building to maybe go see somebody else like a friend and I had to come back to get in my stuff and didn't have my badge so they had to let me in and they're like sure no problem this is not what you're supposed to do that then goes to trust to the employees do you trust the employees to actually not let people what is it called? piggybacking that doesn't make sense so following somebody else in a good example of this was a company I worked at during my undergrad that there's something weird like I didn't work there for a year but I was still on payroll so I had to go do training some kind of training thing again so I go there to go do it and as soon as I get in and this was a facility that had a secure facility but this was like the in terms of like they could look at like classified information or whatever this was the non-classified part but I go in and start going to my desk and somebody immediately challenges me and it's like what are you doing here I don't recognize you I'm like oh I'm out of my I'm an intern here or whatever and they're like yeah I don't believe you who's your boss and I actually don't remember okay I do remember my boss's name but I'm not going to say it now just for my so we go to my boss and then he checks with the boss to make sure I'm actually an employee there even though I had my badge I had my badge but they didn't recognize me so yeah it was a super weird scenario to be in but it's a good culture to have if your culture is security right to make sure that people just don't waltz in and that it's actually a secure environment but that's you know part of that is creating that culture of where that's okay to do what other things so what other things can make a security mechanism insecure we talked a lot about people yeah when they were like so overly complicated that people like short cut them yeah so overly complicated mechanisms that maybe or yeah let's say the fingerprint reader if you have a fingerprint reader but it's so unreliable that you just turn it off or disable it yeah if the mechanism is like a lock and it's just like made of plastic yeah it's like a lock that I can just smash with a hammer very easily to destroy it and get in that would be not very effective what else yeah what about more technical kinds of mechanisms I was going to say like not replacing a mechanism yeah so or not having a policy in place to check the mechanism to make sure it's working right so yeah not replacing a mechanism yeah if I have a something that will on my network scan for open ports that aren't authorized that might interfere with something that looks for that kind of activity interesting so yeah having mechanisms that actually violate your own policies and that you have detection mechanisms in place that will trip yeah that's a good phone what about do people here run antivirus on their computers yeah it's a good definitely a good policy to have a personal policy to have at the same time there's been people who found vulnerabilities in antivirus scanners so by running that you actually become more vulnerable to these kinds of attacks or you think about a firewall or an intrusion detection system do they have security vulnerabilities themselves that an attacker can use to basically render them so if you think about the physical thing talking about made of plastic or talking about being able to jam a big pin in the lock to pop it open these are very clear physical examples but those same things can happen in the software realm with a software mechanism that you need to be at least equally aware of to understand the effectiveness of your security mechanisms what does being a precise mechanism mean yeah so more in terms of like accuracy like we talked about so if you have let's say like we talked about facial recognition system and that facial recognition system lets you in but also everybody else it's not a very precise mechanism it doesn't actually work or when you start thinking about detection mechanisms if you have a detection mechanism that's sending a thousand alerts a day that detection mechanism will get turned off unless you're the military why? yeah or you can force people to look at every single alert and verify whether it's true or not which it's a lot more difficult to force people to do that in a company but the military can force people to do things like this look through all these score blocks and verify if they're true positive or false positive the mechanism may be too broad what we just talked about very similar to precise it may be too broad it may allow more people in than it should so all of these are really kind of around the concept of assurance and insurance is kind of what I think of is how do you trust that the system is secure what's your level of trust in this system being secure and more importantly why? how do we trust that a system is secure can we ever trust that a system is 100% secure I would definitely agree with that statement no so then do we just go the other round and be like well give up everything can be vulnerable therefore I do nothing it mitigates the risks enough to allow us to use it so you can look at the threats that you have come up with to the system you look at the policies and mechanisms you can see do these policies address these threats you look at the assumptions right is it still usable so you want to think about the users I think it is but ideally you want something bad to happen at once so that way you know what kind of threats you're dealing with something bad about your security is something bad will happen so that's an interesting thing so you can think about assurance in the sense of and again it's tricky because if you just think about it as an are we attacked or not well then you just deliberately don't do any detection and you'll just be like yeah it's been 6 months since we've been attacked and unbeknownst to you attackers are in your system stealing your credit cards but if you say one way to think about assurance is maybe how many how many scenarios or incidents did we have how did we address them what was the time frame between detection and recovery and then what was the time frame between recovery and putting in new policies and mechanisms right because if you're shortening those time frames then you know you're responding a lot quicker and closing kind of those loopholes in your current system you can pay somebody to give you some level insurance right pay somebody to come out of your system you can pay people to pen test your system what's the benefit of paying someone to pen test your system yeah so they can identify areas or threats that you have missed or that your policies and mechanisms aren't addressing before a bad guy does what's the downside yeah so you may so let's say you have a pen test they'll find usually at least one thing but you fix that one thing and you kick back and go we're secure yeah you can't do that because a pen test by definition will find those bypasses of your security policy and security mechanisms that violate the security constraints of your organization but they're not going to find everything right and you ran a pen test three months ago or six months ago and let's say they didn't find anything which is maybe good does that mean you're still secure in some sense now why not not just new vulnerabilities but your system changes your developers are writing pushing new code you have new employees in all of these things mean that your system and the scenario is constantly changing so you need to be thinking about these things in terms of that can you quantify assurance think about that put a number on it assurance not insurance for some things yes but for let's say computer security and cyber security can you quantify let's think about that and then assurance we also want to think on who can that depend on so I want you to think about this quantification question and you can quantify assurance if you have good ideas then you should start a company