Enigma 2019 has ended
Wednesday, January 30 • 11:00am - 11:30am
Moving Fast and Breaking Things: Security Misconfigurations

Sign up or log in to save this to your schedule and see who's attending!

Nowadays, security incidents have become a familiar "nuisance," and they regularly lead to the exposure of private and sensitive data. In practice, the root causes for such incidents are rarely complex attacks. Instead, they are enabled by simple misconfigurations, such as authentication not being required, or security updates not being installed. For example, the leak of over 140 million Americans' private data from Equifax's systems is among most severe misconfigurations in recent history: The underlying vulnerability was long known, and a security patch had been available for months, but it was never applied. Ultimately, Equifax blamed an employee for forgetting to update the affected system, highlighting his personal responsibility.

In this talk, we investigate the operators' perspective on security misconfigurations to approach the human component of these security issues. We focus on system operators, because they are, ultimately, the ones being made responsible for the misconfigurations. Yet, they might not actually be a security issue's root cause, but other organizational factors might have led to it. We provide an analysis of system operators' perspective on security misconfigurations, and we determine the factors that operators perceive as the root causes. Finally, based on our findings, we provide practical recommendations on how to reduce security misconfigurations' frequency and impact.


Kevin Borgolte

Princeton University
Kevin Borgolte is a postdoctoral research scientist at Princeton University in the Department of Computer Science and the Center for Information Technology Policy. His research interests span network and system security, currently focused on large-scale Internet abuse, IPv6 security... Read More →

Wednesday January 30, 2019 11:00am - 11:30am
Grand Peninsula Ballroom ABCD

Twitter Feed