Hot Takes and Cool Strategies: BSides Las Vegas 2024
The beginning of summer in Las Vegas is very busy, despite the heat. With over 150,000 hotel rooms within the city limits alone, it can accommodate some very large crowds. This is fortunate because two of the largest security conferences in the world happen in Las Vegas every year: BlackHat and DEF CON.
In the shadow of these giants, there is a smaller community-driven event that has been happening since 2009. The original meetup was less than 100 people, but it has inspired events in 173 countries around the world. It has grown to over 3500 participants this year, making BSides Las Vegas 2024 the largest of all the BSides.
A conference of conferences
Like most other conferences, there are keynotes that start each day. This year featured Sven Cattell discussing securing AI, and Dr. Andrea M. Matwyshyn, who gave a very provocative talk about the "Goldilocks problem" and the fact that the line between civilian vs national security has been effectively eliminated in the modern threat landscape.
However, unlike most tech conferences, which have multiple speaking tracks but all around a central tech or idea, BSidesLV has multiple “grounds.” Each acts as its own little conference with a dedicated theme and organizer.
We all meet in the middle to drink, eat, share ideas and make memories in an area literally called Middle Ground. The grounds range from Breaking Ground, a track all about showing off your innovation, to Hire Ground, which focuses on career growth.
Your author was naturally drawn to PasswordsCon, which was chaired this year by Per Thorsheim, who shared his research into structuring surveys around password practices and also introduced most of us to the US telecom law STIR/SHAKEN, which was intended to end spam calls. I was fortunate enough to be a PasswordsCon speaker, discussing the dangers of long-lived credentials and what to do about them. I was not the only person to bring this up. Here are just a few of the amazing highlights from this fantastic event within the event.
Rotating secrets should not require downtime
In his insightful talk "Zero downtime credential rotation," Kenton McDonough postulated that one of the largest reasons teams hate credential rotation is that it brings with it a chance of downtime. The most common pushback he hears is that a change would require a system reboot, and that might break something or cause a larger issue. Worse, it might cause the operations team to not meet their uptime SLAs, which is bad.
After walking us through the core concepts of using secrets managers, Kenton talked about the difference between Push and Pull models of secrets deployment and shared successful strategies he has implemented to reduce downtime as much as possible, satisfying the "A" in the security CIA triad.
In a Push model, any secrets are injected directly into the environment at build time. This means any changes require a new build. Just changing the secret in the secrets manager will not work. In a Pull model, the application retrieves the secret from a secrets manager either directly or indirectly.
Based on the Pull model, he suggests using Blue/Green deployments leveraging an optimistic refresh strategy. This is a time-limited approach where the app polls the vault for a new secret every so often, ensuring that it stays in sync. If you want to learn more, fortunately, this and all the other talks were recorded and will be available on the official BSidesLV YouTube channel.
Proving a human is the correct human
In his talk, "We removed passwords, now what?" Aldo Salas, Application Security Lead at HYPR introduced us to the concept of IDV - Identification Verification. He defined IDV as the process of confirming that an individual or business is who they say they are. It is also the next logical step in securing human identities.
Currently, most people rely on passwords to access their accounts and, hopefully, are using some form of MFA. We are watching passwordless solutions rapidly becoming more popular, though. Aldo shared that Google has reported that over 1 billion people have adopted passkeys. IDV is a step beyond that where you must interact with another person or do something complex enough that it could only be you.
This is already in use, and you might have already experienced it. For example, if you have ever needed to take a selfie or make a small video of yourself to verify a check-in process, then you have used IDV. Some implementations even involve a step where humans talk to you.
He shared an interesting story of the Mexican Tax Administration Service (SAT) requiring people to sing a little line or two from traditional songs. My favorite example had lyrics which translate to English as "I don't know who loses more in this farewell." Imagine your bank asking you to do that to get access. This is one of the major hurdles– user resistance.
Asking people to do 'weird' things for security does not have a good adoption rate. There is also the question of how to store PII and what privacy implications will emerge. However, he emphasized that it is here to stay, driven by the fact we keep moving all traditional paperwork online.
Your logs are key to detecting badness
In their highly informative co-presentation, "Detecting Credential Abuse," Google Engineers, Kathy Zhu, and Troy Defty walked us through the fundamentals of detecting badness in our environments in the case an attacker has compromised an account through the use of a stolen, forged, or shared password.
They explained that logs are the most important tool in your defensive arsenal. Kathy iterated, "Your first step shouldn't be to implement detection. It should be making sure your logs do what you need them to do." Logs show what has happened, and only if you get good data and enough data can you start to implement pattern recognition.
Good logging requires balancing costs and coverage. You want log diversity, where logs can agree, and log granularity, which allows you to narrow in on a single data point when needed. However, those come at the price of complexity. The more you log, the more complex your detection logic will become, requiring more resources.
According to Troy, once you know you have good data, you can tighten your security anomaly scanning. Some anomalies they discussed included "impossible travel," where a user logs in from places too far apart to make sense and sessions happening on multiple computers over long periods of time.
BSides was so hot
In the background of all our fun and learning at BSides, Las Vegas had an average temperature of 111F°/44C° in the middle of the day and over 90F°/32C° overnight. Even with the extreme temperatures, the BSides community had a lot of fun at their annual pool parties and karaoke night outdoors. There was a real sense of going through it together as one people.
Guarding against threats and reacting to attacks is a lot like that heat. It would be better if the temperature went a little lower, we can't really predict it day by day, and it seems to be getting hotter every year. However, it would be way worse to do it alone. Good thing there is the BSides community. If you can't make the original in Vegas, there is a good chance there will be BSides near you.