Some notes following the Enterprise Cyber Security Europe event, 19 September 2018, Amsterdam.

• @ThomLangford: When trying to hire, look for passion. Technical skills can be taught later on. Also, look for the people who care about what they do, who are full of energy, who are constantly pushing their limits and who are filled with passion. 

• Humans are indeed the weakest link in any security system, because brains are hard to upgrade and because emotional manipulation is easy. 
• So how do you deal with the human risk? 3 possible avenues:
  • throw technology at it
  • improve your internal processes (ex: out of band validation)
  • or develop a continuous and adaptive security awareness program, where people at Terranova seem to know what they are doing. 
• Awareness is for everybody, training is for similar groups of people (ex. a department), education is for the ones who genuinely want to learn
• The story of the women codebreakers at Bletchley Park is fascinating
• Total cyber crime revenues: in the region of $1.5 trillion annually
• Time to detect a data breach: between 99 and 197 days depending on who you ask. Either way, it feels like an eternity
• You can actually turn a data breach into a positive development for your organisation if you manage to be humble, transparent and willing to improve things
• Booking.com is having an interesting ‘everything is a test‘ culture (over 1000 experiments going live at any given time). The company brands itself as a ‘developer-first enterprise’. You must make an effort to find a compromise solution between security and usability
• Preparing for the GDPR should have been easy as long as you have a user-oriented mindset. Don’t forget about the tools for user data export and user data deletion.

How can you better understand the types of security controls than putting them into an example? Home security in this case.

Deterrent controls: a sticker on the front window saying that the house is linked to a security center.  Or a dog house. 

Preventive controls: locks on the access doors and windows. And a big dog. PS: defense in depth is critical.

Detective controls: security cameras calling up the monitoring center and/or the owner smartphone. Or a dog who never sleeps and who barks really loud. PS: detective controls imply that an attack has begun.

Corrective controls: a loud, indoor siren and a system that blinks the house lights when an intrusion is detected. Or a dog that can bring more bad dogs to save the day. PS: corrective controls react to an attack

Compensating controls: motion sensors on the outside of the building and on all the floors, on top of the ones installed on the ground floor. Or a second dog. PS: compensating controls are added after identifying deficiencies in existing controls

Again, some notes about the second day of the excellent TLS Training delivered by Scott Helme. 

• symmetric encryption is fast. AES is fast enough for transferring large amounts of encrypted data (ex. streaming)
• asymmetric encryption is slow, therefore it’s only used for the authentication, in the beginning of the secured session 
•  RSA algorithm was actually invented 4 years before: The acronym RSA is made of the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1978. Clifford Cocks, an English mathematician working for the British intelligence agency Government Communications Headquarters (GCHQ), had developed an equivalent system in 1973, but this was not declassified until 1997.
• Hashing: SHA256 (a subset of the SHA-2 family) is considered strong enough. Alternatives for the future are SHA384 and SHA512 (longer digests), but if the SHA-2 is fundamentally broken, then the SHA-3 family (Keccak) comes to the rescue. It’s like a never-ending cat vs mouse game between cryptographers and cryptanalysts. 
• The CAs store their private keys in HSMs and rarely rotate them (a lifetime of a few decades is not uncommon)
• There is a good analogy between digital certificates and passports
• X509 is the standard describing the structure of the digital certificates. Currently at version 3, it introduced extensions (arbitrary metadata of key + values pairs). Example of an extension: the SAN (Subject Alternative Names) – where a number of domains can be given on top of the common name (CN). In fact, Google Chrome only looks at the SAN when parsing a certificate.
• The certificate chain is typically composed of the Root CA certificate, then the Intermediate CA certificate(s) and finally, the end-entity certificate (the leaf). The last intermediate certificate has the ‘path length’ parameter set to 0 (it’s children can only be leaves).
• The Root CA certificates are provided by the client (stored in the browser or OS), while the intermediate CA and end-entity certificates are provided by the server(the intermediate CA cert – for performance reasons)
• It takes on average 5-6 years to become a Root CA. And if you want this, you must work with the following 5 relying parties carrying a set of root keys in their trust store: Apple, Google, Java, Mozilla, Microsoft. Let’s Encrypt started in 2016 and it’s not yet a Root CA; they are currently using another root CA to cross-sign their certificates (IdenTrust). 
• The Web PKI is governed by the CAB Forum – an entity where the  Certificate Authorities and the major browsers are represented.