According to the website, "BSides Idaho Falls is a conference for sharing security knowledge to anyone wanting to receive it. It's about building a community that thrives on sharing information and building each other up. Every person who attends BSides Idaho Falls is not just coming to a conference; they are joining a family that will help build them up and educate them for success. It is to educate and build relationships among everyone in all security fields. BSides is about Unity, Family, Socialization, and learning."
I love this community oriented concept and I love the focus on cybersecurity. This conference places an emphasis on hands-on learning with computers in some of the presentation rooms and a hardware kit in the registration packets.
In Fall of 2021, Bsides was excited to return to a hybrid in-person environment following 2020, the year that just about every in-person activity was cancelled. While I think to truly get the feel of Bsides you have to be in person, I appreciated that there was still a virtual option for me to participate.
I am lucky enough to have a role that allows me to work full-time remotely. Because business travel is still restricted to mission-critical trips only, I was not able to travel to Idaho Falls for the conference, but I was able to dial in to all the talks and even give my own!
In my presentation, I talked about the confluence of resilience and cybersecurity via a risk assessment framework.
Risk is commonly explained as a relationship between the likelihood of an event occurring and the consequence of that event were to occur.
Risk = Likelihood x Consequence
This is a good starting point, but it can be particularly difficult to assess the likelihood of a cyberattack occurring. How do you know if your system will be targeted? What kind of attack will it be hit with? What systems will the attackers focus on? What is their end objective? The consequence can be more straightforward. If we make assumptions about what type of cyberattack is occurring, we can use knowledge of the system and the protections in place to assess the impact the attack would have. To get a better understanding of Likelihood, we can further break it down as:
Risk = Threat x Vulnerability x Consequence
Vulnerability refers to weaknesses or flaws in the design or implementation of the system. It can be the traditional bug in software or firmware that needs to be patched to be fixed. It could be a misconfigured file, poor implementation of a firewall, or any number of other things. The important thing is that vulnerability is tied to the system and is usually something that can be patched, corrected, or hardened to reduce overall risk. Threat refers to the actions of the adversary. Like we did with Risk and again with Likelihood, we can break Threat down even further into concepts that are more concrete to evaluate.
Threat = Intent x Capability x Opportunity
Intent refers to the goals of an adversary. An adversary can intentionally or unintentionally target a system. Intents can range from financial motives to destructive motives to socio-political motives and more. Capabilities refer to the skills and resources an adversary has. A basic hacker, an insider, and a hostile nation state will all have differing skills and resources available to them which may increase or decrease the risk to the system. Finally, opportunity refers to the ability to access a system. This should not be confused with vulnerability. A system can be filled with vulnerabilities, but if it is totally isolated, there is very limited accessibility. Similarly, a system could be fully exposed to the internet, but if it is extremely well hardened, the risk to the system may still be low.
Intent, Capability, Opportunity, and Vulnerability... All of these factors contribute to the Likelihood that an attack will be successful. After understanding the risks associated with a system, it also important to understand how to mitigate that risk. It is impossible to protect against all possible cyberattacks. A good strategy is always to start by addressing the biggest risks. But how can we reduce risks?
By adding resilience measures. Resilience can be applied to most components of risk. Intent and capability are directly related to the attacker. It is usually beyond our control what attackers motives, targets, and capabilities might be. But we can take action to reduce attack surfaces, eliminate vulnerabilities, and develop response plans so consequences are limited if attacks are carried out.
You can view all the archived presentations from Bsides Idaho Falls 2022 here. My time slot starts at 6:49:00.