RVAsec 2023: Improving ourselves, our security, and our community

RVAsec 2023: Improving ourselves, our security, and our community

Richmond, Virginia, has a vibrant and storied history. While Edgar Allan Poe is more associated with Baltimore, he actually grew up in Richmond, home to the Edgar Allan Poe Museum. Richmond was also home to Maggie Lena Walker, the first woman to own a bank. It is also where Patrick Henry gave his famous "Give me liberty or give me death" speech. While nobody declared anything so revolutionary this year, many security professionals did gather to share ideas and opinions at RVAsec 2023, taking place June 13 and 14. This year marked the 12th gathering and the largest attendance for the event to date, with 740 tickets sold. This year there was a capture-the-flag, lock-picking village, and an extremely fun casino-themed after-party. 28 speakers presented on a wide range of topics, including your author. All the sessions were recorded and will be available on the RVAsec website.

Here are just a few highlights from this year's event.

Improving our teams 1% every day

In his keynote, "Building Leadership, 1% at a time," Andy Ellis walked us through building great teams and avoiding burnout. The name of the talk is taken from the name of his book, 1% Leadership, which all attendees received a copy of in their welcome gift bag.

He began by laying out the 6 ways poor management kills productivity:

1. Exhaustion - Humans only have so much energy to get through the day. Not respecting the effort it takes to show up and be present or watching out for signs of tired workers is a quick way to burn people out.

2. Exclusion - When people don't feel welcome, it is hard to motivate them or help them reach their full potential.

3. Unwillingness - Whenever someone starts asking, "Why am I doing this?" you are going to face issues around motivation. Plus, every cycle thinking about it wastes energy and adds to their exhaustion.

4. Inability - We need to be real that some people just don't have the ability to do the required job. But sometimes, they can't function because the job expectations are not clear, meaning no one would be able to succeed. It is essential to understand each citation as a leader.

5. Ineffectiveness - Spending energy on things that go nowhere is exhausting and prevents the team from accomplishing something more meaningful.

6. Misalignment - If each team member understands the goal differently, then you are bound to get poor outcomes. Aligning everyone with the mission is an important part of effective management.

Andy sees the path to better leadership falling into three overarching categories.

  1. Support - improving Wellness and inclusion.

  2. Management - covering Inspiration and Development.

  3. Authority - focusing on Planning and Alignment.

Without going into every aspect of his approach, after all, he spends a whole book on it; here are a couple of select bits of advice on getting to better alignment.

Wellness is the most significant element we control as individuals. When we overwork ourselves or our teams in the short run, we significantly increase the chance of burnout. He summed it up as "4 days of overextending yourself is rarely worth it 4 months later." Make sure you are looking at vacation time as minimum time away from the office, not maximum days taken that you should police.

Inclusion is the sum of countless micro-inclusions, making sure to take care to include others at every opportunity. He suggests keeping a list of your teammates and making sure you note positive things about each after every interaction. He also suggested organizing the list with the folks who you speak to the least at the top. You can then use this document as a 'to-do' list of team members you need to include more in conversations. Along with this, when talking to people, assume good intent. It can go a long way toward a positive perspective.

The top things keeping CISOs up at night

While every member of your organization should be concerned about security day to day, there is one person who is ultimately responsible for it at most organizations, the Chief Information Security Officer, CISO. In his session "Top 5 CISO Findings of 2022," Mark Arnold of Lares Consulting walked us through the research his team did around the most frequently faced issues CISOs deal with.

The first issue he called the "Asset Management Blues." Basically, you have to know what you have if you are going to protect it. Many organizations struggle with effective asset management, with multiple interviewed CISOs saying, "We are waiting on X before improving our asset management." The "X" in that statement can take many forms but usually means waiting on a certain specific functionality from a vendor. Poor asset management can lead to a lot of issues. Unsecured devices added to the network widen your attack surface and give attackers an easy path inside.

The next major issue Mark labeled as "Seeing RED: Vulnerabilities." It should not come as a surprise that new vulnerabilities emerge daily, meaning all CISOs have to fight to keep up with the shifting landscape every day. This also means managing patches in order to deal with those threats. If those were all CISOs had to be responsible for, it would still be more than a full-time job.

The third most common issue is "Failing Tools." He said it is common to hear CISOs say things like, "We do bi-yearly (as in every other year) 3rd-party testing of our security tools." Mark reminded us that all the fancy tools in the world are not worth anything if you don't validate them. Also, if they are not being used correctly and consistently, then they will never produce the results you want.

Fourth on Mark's list was "Blind Spots." This is an issue affecting all verticals and companies of all sizes. If an organization lacks proper logging and monitoring, then blind spots exist. Those are precisely where bad actors will likely strike. If no one is actively monitoring your logs, then breaches are going to take a lot longer to remedy.

The fifth most common issue CISOs face is "Insecure Configuration." It is not actually misconfiguration but the lack of configuration that is the biggest culprit. In every organization they surveyed, they discovered at least some devices and services that were still using the default settings with all the factory-installed, often unpatched services still accessible. Worse yet, they commonly found default passwords and usernames still in place, making it very easy for bad actors to gain entry without much effort.

The path to a more secure organization and less stress overall is adopting and adhering to a consistent threat modeling framework. There are many out there, but Mark dug into the NIST framework. This approach breaks down security modeling into 5 stages:

  1. Identification - Make a list of all equipment, software, and data you use, including laptops, smartphones, tablets, and point-of-sale devices.

  2. Protect - Control who logs on to your network and uses your computers and other devices.

  3. Detect - Monitor your computers for unauthorized personnel access, devices (like USB drives), and software.

  4. Respond - Have a tested plan for notifying customers, employees, and others whose data may be at risk and keeping business operations up and running.

  5. Recover - Have a plan to repair and restore the equipment and parts of your network that were affected.

In boxing terms, Mark said it is how you "go from being knocked out to being able to take a punch and then go on to punching out Mike Tyson." It does not need to be a complex process; all security models basically follow the same flow: "rank risks, quantify risks, perform threat modeling, repeat."

People love their passwords and are resistant to change

Adrian Amos has done a lot of research into the history of security and was kind enough to share his findings with us in his session "I Heart My Password." He traced the history of security from the ancient Greeks and Egyptians, who created the first locks, to modern "Passwordless" systems. We have literally thousands of years of physical security training baked into our collective culture. Adrian thinks this is part of the reason why people are so hesitant to change and adopt modern security best practices.

In physical security, keys were rarely changed for locks. The same iron lock from ancient Rome would use the same key today. While Romans did have daily rotating passwords, called 'watchwords,' with limited scope, that was military-grade security. For most people, a lock with the same unchanging key was good enough security.

Fast forward to the present. He said in his work he finds Windows 2000 Security Policy, which sets the defaults for Windows security, using the untouched defaults far too often. The thinking was, "It worked 'good enough' out of the box, so why update it?" This mirrors the idea that the key that came with the lock was good enough.

People generally push back when asked to regularly rotate their passwords, especially if given strict and unnatural rules about it. He cites the standards outlined in NIST 800-63B, Appendix A, as an egregious example of frustrating people with too many rules and making passwords harder to remember. This leads to 'enumerated rotation' where people just increment a number at the end of the password and write passwords down on post-it notes, making them less secure overall.

The reported figures are terrifying. 30% of internet users surveyed reported being breached due to weak passwords. 13% of all Americans surveyed recycle the same password between all accounts. However, the same research shows one very encouraging number: 99.9% of attacks can be blocked when multi-factor authentication, MFA, is used. While we hear about MFA being overcome in various breach reports, there is a reason it is newsworthy; it is tough to defeat.

There are many ways you can achieve MFA as well. Not all jobs allow personal device use, making SMS or device-based authentication nearly impossible, but you can bake authentication techniques into tools like 1Password or similar applications. Other examples he mentioned are Authenticator Lite, which is baked into Outlook Mobile, and Microsoft Managed MFA, a managed MFA solution, now included as a default option in Azure AD controls.

Adrian thinks that people have reached an exhaustion limit for changes for access controls and password management. This is especially true for corporate accounts and machines. However, when asked if they want to better protect their own accounts and property, most people will agree any small increase in protection is worth it. We need to sell people on the value to them as individuals rather than just plop more regulations in front of them and hope they accept them.

SBOMs and SBOBs

In the very thought-provoking session "Software Bills of Behaviors: Why SBOMs Aren't Enough," Andrew Hendela laid out the fact that simply knowing what is in your software is not any guarantee of safety. What we need to know is what all of that software does versus what we expect it to do.

Supply chain security is all about trust, explicitly knowing what you can trust and trusting how you came to know that. Even if you write the code yourself, how do you know you can trust your compiler not to insert malicious items? While that might sound a tad paranoid, given that our organizations use so much pre-written, open-source code, it is something to be concerned about

He shared the story of the popular Python package PyTorch, which was modified to include a malicious compiled binary. The legitimate version of the software also contained a compiled binary, so the package management platform assumed this was all correct, thanks to the SBOM acting as an ingredients list. At no point along the way was the malicious behavior documented through the package release process.

Andrew suggests knowing what each bit of code should do versus what it actually does when run is the best path forward. We can start to build these lists of expected behaviors, the Software Bill of Behaviors, by reading the documentation and running the software in isolated sandbox environments. If there is a strange call to an external, unknown server, then you have an issue. If it does exactly what was described by the privacy policy and author's description, then it will be good to go for production use.

We should be in the habit of asking for patch notes that spell out the expected behaviors and domains/IPs that will be invoked. When possible, we should be building from source code as well. The advantage is you can manually review the code and use static code analysis to ensure it does only what you expect. Reviewing and building from source code can also uncover unintended behaviors, or bugs, that might not be malicious but you want to keep away from production.

Securing the future is collaborative

One of the best parts of RVAsec, and any in-person event, is the hardest to articulate in a blog post. That is the fantastic "hallways track." This is the colloquial term for the interactions that happen between and outside of formal sessions. There was a sense of joy and comradery throughout this event that was downright infectious. The first-time attendees, like me, started out as strangers, but by the end, we all felt like a community. If you have never been to an in-person security event, then I highly suggest going to one next time the opportunity arises. There are few experiences like it.

One of the topics that often comes up in the hallway track is the tools people are using. I ended up having a lot of conversations about honeytokens (due to that subject being at the heart of my talk). I was captivated by all the ways people talked about potentially using honeytokens for intrusion detection and perimeter security in general. At GitGuardian, we often talk about using these decoy credentials in private repos, packages, and CI environments. Once security practitioners understand how they work, though, the use cases spread out to services like Slack and Jira, compiled files and way too many others to list here. If you want to dig deeper into GitGuardian Honeytoken or request to be part of the beta program, read more here.

No matter what part of security you focus on, we are all one big community. I hope you go become an active part of your next local meetup or event in your area. There are so many folks who want to share their passion and would love to hear what you have to bring.