[PPT] - Practical Magic: Behavior- based Security Design for IoT Kelly PowerPoint Presentation

SLIDE 1

Practical Magic: Behavior- based Security Design for IoT

Kelly Shortridge (@swagitda_) Troopers 2018

SLIDE 2

Hi, I’m Kelly

SLIDE 3

3

“I usually solve problems by letting them devour me.” ― Franz Kafka

SLIDE 4

4

10 20 30 40 50 60 70 80 90 100 January 1, 2007 January 1, 2009 January 1, 2011 January 1, 2013 January 1, 2015 January 1, 2017

IoT IoT Security

Source: Google Trends

SLIDE 5

5

We’re engendering a Kafkaesque paradigm for IoT security

SLIDE 6

6

Dyn DDoS / Mirai Botnet Reaper Botnet RSAC 2017

10 20 30 40 50 60 70 80 90 100 January 1, 2007 January 1, 2009 January 1, 2011 January 1, 2013 January 1, 2015 January 1, 2017

Source: Google Trends

SLIDE 7

7

IoT botnets are the first, and ravenous, boss of the IoT security battle

SLIDE 8

8

Mirai: 60 default passwords led to 100k node botnet attack against Dyn

SLIDE 9

9

But we’re promoting complexity & a seemingly endless set of hurdles

SLIDE 10

10

Lackluster IoT security is not a secret –

ur ideas are clearly not working

SLIDE 11

11

By understanding behavior, we can guide choice & support secure habits

SLIDE 12

12

1. Existing Suggestions
2. Incentive Problems
3. Behavior-Based Design
4. IoT Security Ideas

SLIDE 13

Existing Suggestions

SLIDE 14

14

FTC recommends building-in security from the beginning (simple as that!)

SLIDE 15

15

FDA: Pre- & Post-Market Guidelines (H/T @marasawr)

SLIDE 16

16

Pre-market: a lot of documentation & threat modelling

SLIDE 17

17

Post-market: monitoring & a mitigation deployment strategy

SLIDE 18

18

OWASP: IoT Testing Guide, IoT Attack Surface Areas, Principles of IoT Sec…

SLIDE 19

19

Designed for the penetration tester user persona – not developers

SLIDE 20

20

Cisco’s guidelines: “Secure Analytics,” Network Enforced Policy, Auth^2

SLIDE 21

21

Compensating Controls: post-market remedies by third parties

SLIDE 22

22

Burden is primarily on the end user

SLIDE 23

23

Actionable, real-time behavioral analytics for visibility & intelligence…

SLIDE 24

24

Maybe feasible for enterprises, but what are consumers to do?

SLIDE 25

Incentive Problems

SLIDE 26

26

Principal-agent problem: someone else makes the decisions, but you bear the impact

SLIDE 27

27

The Agent has their own self-interest. It’s likely not the same as yours.

SLIDE 28

28

Moral Hazard: people take more risks because someone else bears the cost

SLIDE 29

29

Next level: Equifax’s customers aren’t the end users whose data is stored

SLIDE 30

30

Prospect Theory: people care about relative vs. objective outcomes

SLIDE 31

31

Maintain a reference point against which outcomes are measured

SLIDE 32

32

Overweight small probabilities & underweight large probabilities

SLIDE 33

33

Overhyping low-probability vuln exploitation vs. default passwords

SLIDE 34

34

Loss aversion: people prefer to avoid losses vs. acquire the same gain

SLIDE 35

35

Framing security as a time & cost sink facilitates natural resistance

SLIDE 36

36

Hyperbolic discounting: future rewards are discounted vs. present

SLIDE 37

37

Many security initiatives are “investments” with long-term benefits

SLIDE 38

38

Dual System Theory: lizard brain (system 1) vs. philosopher brain (sys 2)

SLIDE 39

39

Most policies work on System 2 – we need to work with System 1 instead

SLIDE 40

40

Overchoice: too many options causes analysis paralysis

SLIDE 41

41

Which of the 100 items do devs tackle 1st in a 10-page IoT attack surface doc?

SLIDE 42

42

We have to work with how people think, not against it

SLIDE 43

Behavior-based Design

SLIDE 44

44

What is choice architecture?

SLIDE 45

45

Design presentation of choices to promote improved decision-making

SLIDE 46

46

Example: MINDSPACE framework for behavioral design

SLIDE 47

47

Messenger: people dismiss info from sources they don’t like / respect

SLIDE 48

48

Incentives: losses can be more motivating than rewards

SLIDE 49

49

Norms: People follow social standards, (even when counterproductive)

SLIDE 50

50

Defaults: People prefer things to remain the same (inertia)

SLIDE 51

51

Salience: Novel & relevant draws attention & influences choices

SLIDE 52

52

Priming: Senses subconsciously influence us

SLIDE 53

53

Affect: Emotional reactions are our brains’ first responders

SLIDE 54

54

Commitments: Judgements made in advance to create “automatic” actions

SLIDE 55

55

Ego: People like to feel better about themselves & preserve self-image

SLIDE 56

56

Reinforcement mechanisms: consequences to guide behavior

SLIDE 57

57

Pay-for-performance lacks empirical evidence for fixing moral hazard

SLIDE 58

58

Set clear, achievable goals – “fix all the bugs” is neither

SLIDE 59

59

Goal setting must be matched with feedback, ideally immediate

SLIDE 60

60

Framing effects: reduce the gap between concern & willingness to act

SLIDE 61

61

Focus on leveraging system 1 to your advantage by altering habits

SLIDE 62

62

How do you create a habit loop?

SLIDE 63

63

Step 1: Routine

SLIDE 64

64

Make it stable, frictionless, & fit into existing context

SLIDE 65

65

Minimize perceived effort & number

f decisions the user has to make

SLIDE 66

66

Step 2: Triggers & Rewards

SLIDE 67

67

Contextual cues: “If X, do Y”

SLIDE 68

68

Magical brew of rewards: mix of short- term & accumulated long-term ones

SLIDE 69

69

Step 3: Ingrain

SLIDE 70

70

Foster ample opportunities for practice & interaction

SLIDE 71

71

Cultivate a sense of meaning behind the habit – a deeper purpose

SLIDE 72

72

People don’t like feeling like habit machines; play into self-identity

SLIDE 73

Ideas for IoT Sec

SLIDE 74

74

Set concrete goals: “build-in security” is too nebulous

SLIDE 75

75

“Ensure each feature release uses a 10-point checklist” is a clear ask

SLIDE 76

76

Value should consider maximum security benefit at minimum cost

SLIDE 77

77

How to turn security into a habit?

SLIDE 78

78

Teams should have a regular, brief time & space to review security goals

SLIDE 79

79

Context cues: “if login portal, require change of default creds during setup”

SLIDE 80

80

Specify attainable steps with minimal complexity, like a checklist

SLIDE 81

81

Security suitably serves as a deeper purpose – frame it as a noble cause

SLIDE 82

82

How can we leverage MINDSPACE for IoT security?

SLIDE 83

83

Find the right messenger: preachy infosec people probably aren’t it

SLIDE 84

84

“Gift” budget that is eroded if security goals aren’t met (loss aversion)

SLIDE 85

85

Treat security habits as norms: “90% of

ur developers fix bugs within 3 days”

SLIDE 86

86

Show long-term expenses of options to highlight ROI of proactive security

SLIDE 87

87

Transparency around quality & cost: easiest measures with highest impact

SLIDE 88

88

Control instincts to security issues – slow down via threat modelling

SLIDE 89

89

Team bonus if you complete the checklist & fix bugs within 30 days – if not, it goes to charity

SLIDE 90

90

Black Girls Code, Calyx Institute, IFF Diversity & Inclusion Fund, Mozilla Foundation, Signal Foundation

SLIDE 91

91

Public lists of IoT vendors allowing default cred changes (like the Two Factor Auth List)

SLIDE 92

92

One-page checklist to ensure & document IoT security basics

SLIDE 93

93

Streamlined number of steps per lifecycle stage – design, build, test

SLIDE 94

94

1. Design UX workflow to change

default passwords (everywhere)

SLIDE 95

95

2. Spoof headers to look like most

common web servers

SLIDE 96

96

3. Encrypt data in transit with SSL or

TLS

SLIDE 97

97

4. Don’t call bash scripts from the web

interface

SLIDE 98

98

5. Don’t use custom API protocols –

just use REST or SOAP

SLIDE 99

99

Design Build Test

Does the device use:
A login portal?
Yes, and we allow

the change of default creds

No
User Data
Yes, & we encrypt

data w/ SSL or TLS

No
Web Interface
Yes, and we do not

call bash scripts or use custom API protocols

No

If internet-connected, spoof headers to appear “normal” Cross-checking by teams of critical measures to be taken

Share essential information

concerning security steps with the team

Confirm each team member

understands the security requirements

Have any new features been

added since design that require review? (ie interfacing w/ the internet, collecting user data)

Anticipated Security Events
What are the critical or

non-routine security controls required?

How long will

implementation of controls take?

What are the anticipated

impacts of the controls?

Tester to confirm:
Completion of account

controls (default credential alerts, lockouts, 2FA)

List of data used by the

device, and labelling of user data

Whether there are any

vulnerabilities to be addressed

For builders:
What are the key

concerns around management going forward and any future security concerns?

Instructions for

immediate post-testing security management are drawn up together

SLIDE 100

100

Formalized & usable checklist to be released soon…

SLIDE 101

Conclusion

SLIDE 102

102

IoT security ideas must treat devs as time-constrained humans

SLIDE 103

103

Prioritizing security can go against incentives – but that can be changed

SLIDE 104

104

Our complex, “endgame-level” solutions are too formidable

SLIDE 105

105

Compensating controls aren’t enough – we can’t expect magic post-hoc

SLIDE 106

106

But practical magic using behavioral design can improve decision making

SLIDE 107

107

Goal: straightforward ways to erode risky habits & promote security habits

SLIDE 108

108

A basic, one-page checklist is a simple way to start growing security culture

SLIDE 109

109

We cannot wallow in sermonizing – we can’t let the problem devour us

SLIDE 110

“Good enough is good enough. Good enough always beats perfect.” – Dan Geer

SLIDE 111

111