Compliance Cautions Investigating Security Issues Associated with - - PowerPoint PPT Presentation

▶

Dec 17, 2023 124 likes •346 views

LASER Workshop 2020 Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards Rock Stevens , Kevin Halliday, Michelle Mazurek / / University of Maryland Josiah Dykstra, James Chapman, Alexander F armer

SLIDE 1

Compliance Cautions

Investigating Security Issues Associated with U.S. Digital-Security Standards

Rock Stevens, Kevin Halliday, Michelle Mazurek / / University of Maryland Josiah Dykstra, James Chapman, Alexander F armer / / Independent Researchers Wendy Knox Everette / / Leviathan Security Group Garrett Bladow / / Dragos, Inc.

LASER Workshop 2020

SLIDE 2

Compliance Standards

◂ What are they? ◂ Why use them? ◂ How are they enforced? ◂ What’s the problem?

SLIDE 3

First empirical evaluation of compliance standards for security issues that exist within perfect compliance

Even if you had perfect compliance, what else could go wrong?

SLIDE 4

Standards we examined

SLIDE 5

1 A u d i t S i x r e s e a r c h e r s c

d u c t i n g l i n e

i n e a u d i t

t h r e e s t a n d a r d s 2 E x p e r t e v a l u a t i

s F

r c

p l i a n c e e x p e r t s e v a l u a t e r e s e a r c h e r s ’ fi n d i n g s 3 D i s c l

u r e V a r i

s a p p r

c h e s t

e s p

s i b l y d i s c l

e fi n d i n g s t

g a n i z a t i

Study Methods

SLIDE 6

Real-world experience Exploitation in the wild Unanimous agreement

1 A u d i t S i x r e s e a r c h e r s c

d u c t i n g l i n e

i n e a u d i t

t h r e e s t a n d a r d s

SLIDE 7

Probability

Unlikely Seldom Occasional Likely Frequent Catastrophic M H H E E Critical L M H H E Moderate L L M M H Negligible L L L L M E - Extremely High H - High M - Moderate L - Low Severity

SLIDE 8

In total, 148 issues ranging from low to extremely high risk

1 A u d i t S i x r e s e a r c h e r s c

d u c t i n g l i n e

i n e a u d i t

t h r e e s t a n d a r d s

SLIDE 9

Data vulnerability

1 A u d i t S i x r e s e a r c h e r s c

d u c t i n g l i n e

i n e a u d i t

t h r e e s t a n d a r d s

SLIDE 10

Data vulnerability

1 A u d i t S i x r e s e a r c h e r s c

d u c t i n g l i n e

i n e a u d i t

t h r e e s t a n d a r d s

SLIDE 11

Under-defined process

1 A u d i t S i x r e s e a r c h e r s c

d u c t i n g l i n e

i n e a u d i t

t h r e e s t a n d a r d s

SLIDE 12

SLIDE 13

LASER Talking Points, Pt 1

Cold calling the experts!

○ Friends/past contacts ○ Industry experts met a previous conferences

Interrater reliability
Codebook development

SLIDE 14

LASER Talking Points

Interrater reliability

○ How to get results when people are in 4 different time zones, and everyone has a full-time job?? ○ Calculated with Krippendorff's alpha

Codebook development

SLIDE 15

LASER Talking Points

SLIDE 16

LASER Talking Points

Codebook development

○ Determine root cause ○ Do it iteratively until you have agreement ○ Define terms upfront!!!

SLIDE 17

CISOs and authors Challenge assumptions Validate findings Provide context

2 E x p e r t e v a l u a t i

s F

r c

p l i a n c e e x p e r t s e v a l u a t e r e s e a r c h e r s ’ fi n d i n g s

SLIDE 18

◂ Confirmed real-world misuse of compliance standards ◂ “White box” pentest

2 E x p e r t e v a l u a t i

s F

r c

p l i a n c e e x p e r t s e v a l u a t e r e s e a r c h e r s ’ fi n d i n g s

LASER Talking Points, Pt 2

SLIDE 19

3 D i s c l

u r e V a r i

s a p p r

c h e s t

e s p

s i b l y d i s c l

e fi n d i n g s t

g a n i z a t i

Enforcers Creators Aggregators

SLIDE 20

Centralized repository

CVEs Federal reporting RFCs

3 D i s c l

u r e V a r i

s a p p r

c h e s t

e s p

s i b l y d i s c l

e fi n d i n g s t

g a n i z a t i

Direct reporting

NDAs RFCs closed “Not my Job” Cease communications!

SLIDE 21

What did you try that did not succeed before getting to the results you presented? 8 months to finish first part, 8 months of NDA negotiations, and Several follow-on interviews to clarify survey data

SLIDE 22

Compliance Cautions: Investigating Security Issues Associated with U.S. Digital-Security Standards > Questions / Feedback? rstevens@cs.umd.edu | @ada95ftw

Wrap up discussion
Next steps?
Plans for post-workshop paper?

Compliance Cautions

Investigating Security Issues Associated with U.S. Digital-Security Standards

LASER Workshop 2020

Compliance Standards

◂ What are they? ◂ Why use them? ◂ How are they enforced? ◂ What’s the problem?

First empirical evaluation of compliance standards for security issues that exist within perfect compliance

Even if you had perfect compliance, what else could go wrong?

Standards we examined

Study Methods

Real-world experience Exploitation in the wild Unanimous agreement

In total, 148 issues ranging from low to extremely high risk

Data vulnerability

Data vulnerability

Under-defined process

LASER Talking Points, Pt 1

○ Friends/past contacts ○ Industry experts met a previous conferences

LASER Talking Points

○ How to get results when people are in 4 different time zones, and everyone has a full-time job?? ○ Calculated with Krippendorff's alpha

LASER Talking Points

LASER Talking Points

○ Determine root cause ○ Do it iteratively until you have agreement ○ Define terms upfront!!!

CISOs and authors Challenge assumptions Validate findings Provide context

◂ Confirmed real-world misuse of compliance standards ◂ “White box” pentest

LASER Talking Points, Pt 2

Enforcers Creators Aggregators

What did you try that did not succeed before getting to the results you presented? 8 months to finish first part, 8 months of NDA negotiations, and Several follow-on interviews to clarify survey data

Wrap-up