Thursday, 25 May 2017

Hallway Talks: Threat Levels

My company has started holding something we call an un-conferance... basically it is an open space where we can give less formal conference style talks (see but more on that later.
Anyway a friend of mine gave an interesting talk at the security un-conference today on actually talking about security that brought to mind an interesting conversation I had with a group of pen testers after the Belfast Bsides event this last year.
Image result for airport security
He spoke about communicating the reasons for security operations to happen with the customers/consumers it will effects and likened it to having airport security being one of the worst experiences when travelling to the point where taking a flight used to be a simple and great experience people would have looked forward to having become a tiresome pain- waiting in lines to be checked over, and even having your favorite soft drink taken off you. Most people will tell you the security in airports now is one of the worst parts of travelling a classic security vs convenience situation is created.
So if we tell people why we are doing the checks will it make people more receptive to adopting the change? Or another side would simply having to explain the threats to the people affected make it very obvious that even if that threat is severe the risk is low enough that it doesn’t warrant the inconvenience?

This was a core point of his talk, we always hear about threat but rarely hear about risk and I remembered this conversation I had in the post-conference celebration with a group of pen-testers in about automated vehicles. One of the days talks focused on how manufacturers of these vehicles so far were not putting an emphasis on security and how you an easily break into them, this also happened with the hackers ale to take control remotely of a partially automated range rover and force it to stop, so a fairly hot topic. Now regardless of how you feel about the possible threat of this happening I didn’t and still don’t believe it would be a reason to not use automated vehicles. My argument for this is that yes the threat is severe but the risk of them getting hacked is trivial.  
Now before you jump on the “your insane, it’s terrifying” … yes the risk is a terrifying prospect but let’s assume the security on the car systems is essentially absent and just pretend that a there is no security whatsoever and you can log into its open hot spot log into a shell and type a command to have the car go or stop. Even then there’s a barrier to entry, the person attempting would need a level of IT skills, a background knowledge of the software its running on and equipment with the ability to extend the range of there connection long enough so the vehicle doesn’t leave it. Of course the level of fear of the threat will never allow such minimal precautions but remember the people who managed to get the car in the news had all that equipment experience and training. They proved it possible not likely, you could achieve the same out come with a pair of snips and an idea what the brake line looks like. I believe that method of attack would be only used for assassination or terror. But the mindset of the pen tester is different, they see attacks everywhere they were insistent kids would find ways of doing this and just murder people for the fun of it and even after there was convictions of what is clearly pre-meditated murder and the security brought up to high levels you would still get the odd person who would sit there and figure out how to brake it.
It’s hard to argue with what is possible.  Even with the more security you put on something, in this example an automated car, the higher the barrier to entry of attack is… but it will always be a possibility. I think with the level of fear in automated cars the manufacturers will put effort into securing them especially if there liable for negligence leaving that risk trivial but please tell me what you think?
There is an important take away from this however.
  •          When you’re focused on the possibilities and not likelihood it’s easy to overestimate the level of mitigation required.
  •          Security needs to be invisible, effective and at least appear seamless to the end customer.
  •          When explaining risks to someone who doesn’t agree, pushing that risk possibility can make your argument sound even more ridiculous or far-fetched (this is where people get annoyed with airport security).