Moving Fast and Breaking Things: Security Misconfigurations

Wednesday, January 30, 2019 - 11:00 am11:30 am

Kevin Borgolte, Princeton University

Abstract: 

Nowadays, security incidents have become a familiar "nuisance," and they regularly lead to the exposure of private and sensitive data. In practice, the root causes for such incidents are rarely complex attacks. Instead, they are enabled by simple misconfigurations, such as authentication not being required, or security updates not being installed. For example, the leak of over 140 million Americans' private data from Equifax's systems is among most severe misconfigurations in recent history: The underlying vulnerability was long known, and a security patch had been available for months, but it was never applied. Ultimately, Equifax blamed an employee for forgetting to update the affected system, highlighting his personal responsibility.

In this talk, we investigate the operators' perspective on security misconfigurations to approach the human component of these security issues. We focus on system operators, because they are, ultimately, the ones being made responsible for the misconfigurations. Yet, they might not actually be a security issue's root cause, but other organizational factors might have led to it. We provide an analysis of system operators' perspective on security misconfigurations, and we determine the factors that operators perceive as the root causes. Finally, based on our findings, we provide practical recommendations on how to reduce security misconfigurations' frequency and impact.

Kevin Borgolte, Princeton University

Kevin Borgolte is a postdoctoral research scientist at Princeton University in the Department of Computer Science and the Center for Information Technology Policy. His research interests span network and system security, currently focused on large-scale Internet abuse, IPv6 security, and security misconfigurations. He is a member of the Shellphish Capture the Flag team, and he won third place in the DARPA Cyber Grand Challenge (CGC). Kevin holds a PhD in Computer Science from the University of California, Santa Barbara, which he earned in September 2018.

BibTeX
@conference {226339,
author = {Kevin Borgolte},
title = {Moving Fast and Breaking Things: Security Misconfigurations},
year = {2019},
address = {Burlingame, CA},
publisher = {{USENIX} Association},
}