Security AntiPatterns Barry Anderson What is this talk
Security Anti-Patterns Barry Anderson
What is this talk about Learning from failure Starting a conversation Holding ourselves to account
Why should you care? Because the Threat Landscape is getting more and more cluttered and attackers are getting more and more skilful. “It’s 2015, nobody is still doing any of this, right? ” Yes, they are (and it seems like it’s getting worse).
Design Patterns Elements of Reusable Object-Oriented Software Gamma, Helm, Johnson, Vlissides “a general reusable solution to a commonly occurring problem within a given context”
Anti-Patterns Coined in 1995 by Andrew Koenig in an article for Journal of Object-Oriented Programming: "Anti-pattern is just like pattern, except that instead of solution it gives something thats looks superficially like a solution, but isn't one. " or: a general reusable incorrect solution to a commonly occurring problem within a given context
Anti-Patterns Wikipedia defines it as: A commonly used process, structure or pattern of action that despite initially appearing to be an appropriate and effective response to a problem, typically has more bad consequences than beneficial results, and A good alternative solution exists that is documented, repeatable and proven to be effective.
Anti-Pattern Categories Architectural Behavioural - Community Behavioural - Organizational Behavioural - Personal Behavioural - Vendor Product-Specific
Architectural
Firewall-on-a-stick Where instead of being inline, the firewall is off to one side and the router/switch decides what traffic to send there. Why this is an anti-pattern Because a firewall that you can bypass (accidentally or otherwise), isn't a firewall - it’s an optionally inline controls application point.
Landing VPNs on a firewall Where the firewall that terminates VPNs is the device with the rules protecting the destination server. Why this is an anti-pattern Anyone remember the Check Point Secu. Remote tunnelling vulnerability?
Flat DHCP/dynamic DNS scopes When any box that connects to your network gets a name in the same scope as e. g. your servers. Why this is an anti-pattern Because when the contractor with the shiny apple laptop that's so cool he named it after a comic-book character, connects it to the network where the people who named your B 2 B server liked the same character, your B 2 B server suddenly goes off the air and nobody can work out why.
Marketechture When you allow your vendors to determine the shape of your network. Why this is an anti-pattern Because your architecture is an expression of your strategy. ". . . form ever follows function" -- Louis Sullivan
"So where do I connect up? " Allowing anyone to plug an unsecured endpoint into your network. Why this is an anti-pattern Because they don't have your controls!
Behavioural - Community
Victim Blaming Can you imagine if a surgeon blamed the patient for a failure to provide effective care?
Behavioural Organisational
Pig in a poke Wikipedia: An offering or deal that is foolishly accepted without being examined first. Origin a confidence trick originating in the Late Middle Ages, when meat was scarce, but cats and dogs (puppies) were not. Selecting a vendor product without running a shoot out (at the vendor's expense). Why this is an anti-pattern Because if you don't have the cajones to admit your mistake, five years later, your company is still paying maintenance on that purchase.
Magic Silver Bullet Thinking Similar to Pig in a Poke, buying a vendor product/story without running a Po. C (at the vendor's expense). Why this is an anti-pattern Because you never build the capability to deal with the real problems, instead wasting resources deploying products that never get used when you realise they're not a silver bullet after all. (The problem is the thinking, not the product. )
Impedance Mismatch Interposing a vendor who you pay a support contract to between yourself and the manufacturer (who they pay on a per-incident basis. ) Why this is an anti-pattern Because you're never sure whether a problem gets reported back to the manufacturer or not - and with security-related bugs, you can't afford that.
Outsourcing outsourcing to <insert global IT services company here> (where your servers end up being managed from China - which may be the case for a lot of companies anyway, but they're not usually paying for it!) Why this is an anti-pattern Because if your company doesn't make widgets, IT is your core business. Because if you can't successfully manage the delivery of something, what makes you think you can successfully manage its delivery with even less control?
Strategic Sourcing an institutional procurement process that continuously improves and reevaluates the purchasing activities of a company. popularized through work with a variety of blue chip companies by a number of consulting firms such as A. T. Kearney, Booz Allen Hamilton, KPMG, Pricewaterhouse. Coopers, and PRTM in the late 80 s and early 90 s. Why this is an anti-pattern This doesn't have to be an anti-pattern, (although you can quickly change where you buy pens, but not so quickly change over who supports your IT), but the potential is there, especially when it becomes a stepping stone to. . .
"Strategic Sourcing" Even when it costs more, only deploying the organisation's resources to do things only the organisation can do. Why this is an anti-pattern So you're not doing the best thing, and you can't even justify doing something sub-optimal because it's cheaper!
The Emperor's New Clothes When decisions aren't assessed based on the evidence, but based on where on the food chain the decision-maker lies. Why this is an anti-pattern Because if you aren't willing to assess whether you're off course, how can you ever correct?
Preventive Controls are all we need! “Prevention Eventually fails” Richard Bejtlich “Prevention is ideal; detection is a must” Dr Eric Cole “I don’t care if you’re talking about pregnancy or data breaches. With a sufficient sample size, prevention fails. ” Phil Hagen Why this is an anti-pattern Because if you don’t have the detective controls in place, how do you know your preventive control has failed you?
Reductio ad absurdam Take a fundamentally good idea "prevention eventually fails" and drill until you reach peak stupid: "All our controls are detective since prevention fails. Our compensating controls are contractual. " Why this is an anti-pattern This particular example is an anti-pattern as it assumes you can react in time (or at all) and administrative controls don't stop bad actors.
Best Practices Treating "best practices" like aspirational guidelines, or said another way, like the ceiling instead of the floor Why this is an anti-pattern "Best Practices" are those practices everyone should implement i. e. worst acceptable practices.
“We don’t want to boil the ocean” As a truism about the overcommitment of resources to a fruitless task, this makes sense. As an excuse for not doing what you know to do, on the other hand. . .
Behavioural - Personal
"Above my pay grade" A variant of The Emperor's New Clothes Why this is an anti-pattern An unwillingness to stand up for what you believe in this looks like the Emperor’s New Clothes, but is more an issue of personal responsibility?
Running network clients on your firewall This may seem like a good idea to the junior firewall administrator who realises one day that the firewall he's administering allows all connections from the firewall out to the Internet (see Firewall Implied Rules). Why this is an anti-pattern Can you say client-side exploits?
Behavioural - Vendor
Development Practices Coding practices that make me shudder. Seriously. Regressions like you wouldn't believe. Code Fiefdoms. Why this is an anti-pattern Crap coding practices lead to crap code.
Insufficient Testing Who here does test and cert on security products? If not, why not? Why this is an anti-pattern Bugs in security software have consequences.
Product-Specific
Firewall Policy "Version Control" Simply tars up the configuration directory Why this is an anti-pattern Because a restore may blow away a whole lot more than you were expecting - other policies for example!
Firewall Implied Rules If you check Firewall Implied Rules under Global Properties on a specific vendor’s firewall, you'll see what traffic your firewall allows that you haven't explicitly told it to in your rulebase. (This used to be even worse as any inbound connections were allowed!) Why this is an anti-pattern Because <sarcasm> of *course* that general-purpose O/S your firewall is running on has no remote exploits!</sarcasm>
Where to from here? Doctor it hurts when I do this. Don't do that! How many of these rang bells for you? How many are you unsure about? Would you like to be sure?
- Slides: 37