[Ach] 30C3 talk "The Internet (Doesn't) need another security guide"

Tue Jan 14 08:46:29 CET 2014

On 14/01/14 03:07 AM, L. Aaron Kaplan wrote:
> Hi list,
> 
> I finally came around to watching evacide's talk "The Internet
> (Doesn't) need another security guide" [1] where she mentions our
> small project in minute ~ 18 or 19 [2] (Yay! Thanks). Spoiler
> alert: Eva actually says that we need more (targeted, good, correct
> and well defined) guides for sure.

Yes, and more *short* guides.  Nobody reads long things.

> It's a good talk and I encourage you to watch it as well.
> 
> There are a couple of things that stuck:
> 
> 1. Eva mentioned that bettercrypto.org could use a section on how
> to convince your boss that the company needs hardened Crypto
> settings and that the sysadmins should invest time into that. Do
> you agree with that point of view? Should we add such a section?

Hmmm.  Well, mindshare is an important part of the battle.  It may be
that a short section on useful arguments to win your boss over could help.

=====================
1.  A breach of the company's data will bring in a lot of unexpected
costs:  public exposure, customer anger and lost customers, data
protection regulator attention, potential liabilities, ... and rework,
lots and lots of rework.  (You can actually find cost estimates for
this on the net now.)

2.  Heads may roll.  Whose?

3.  If a breach does happen, your best defence is to have a security
document that outlines what was done before.  You get 9 out of 10
points for saying what you did.  If the document says "we followed
BetterCrypto's recommendations," that is good.  That is evidence that
you did something.

4.  Sysadms can help, they can write the document.  Remember: nobody
else is likely to write it!  It doesn't need to be nice and pretty.

5.  Managers can help, they can look at the document and say, "OK, do
that."  If the sysadm helps self, writes it, and hands a document to
the Manager, the chances of cooperation go up, because Managers always
like work already done.

6.  Audit time is also assisted by having a document as above.  Audit
is about "say what you do, and do what you say."
=====================

It needs to be short.  Nobody reads long stuff.  Like my emails ;)

> 2. Threat modelling: Eva mentioned that most guides first focus on
> a threat model. We don't really do that so much in ours. Are we
> missing something here?

Deliberately.  The guide is for a fast cut&paste for busy sysadms.  If
they want to know why, they know where to go.  The guide tells them
what, if it also said much about why, that would be the end, it would
explode in complexity, and also give people a wedge to prevaricate and
disagree.

(IMHO)

> 3. Understanding your target audience: it seems we have been doing
> something right, because we first focused on our clearly defined
> target audience. However, I think we need to improve even more in
> this field: we should hand this guide to multiple sysadmins and let
> them test the guide and collect as much feedback as possible.

That's a good point.  We may be swept along by our own
self-congratulation, and the talking heads are always happy to agree
when it makes them look wise.

Test-marketing.  Perhaps each person takes a copy to one sysadm who is
totally unrelated to the project, and isn't really up on the topic ...
and does a trial work through?  Don't so much teach as see what
happens when the guide is in their hands.

I'm sure that can be improved :)  The trick is to test it in such a
way that our own testing doesn't interfere with the results.

iang