Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Time to Grow Up: Counterproductive Security Behaviors That Must End

chriseng
November 18, 2016
Technology
23
7.1k

Time to Grow Up: Counterproductive Security Behaviors That Must End

You’ve heard it all before: “The security industry has failed.” “Developers just don’t care.” “They deserved to be breached.” These and many other overused themes are promulgated by security practitioners at conferences, in social media, and worst of all, in their day jobs. Security practitioners, particularly those new to the industry, regurgitate the same counterproductive ideas and behaviors to the extent they have become clichés. This ultimately damages our collective credibility and creates unnecessary barriers to what we are trying to accomplish. We often lack empathy and pragmatism, reverting to stereotypical one-dimensional attitudes rather than focusing on the positive outcomes we are trying to achieve. We are, at times, caricatures of ourselves. In this presentation, we will take a light-hearted look at many of these problematic themes and discuss how we as security professionals can do better.

The slides are not that useful without the narration. Here are a couple of videos.

- Closing keynote, Kaspersky Security Analyst Summit 2017 (a more concise version of this deck, which I like much better):
https://www.youtube.com/watch?v=amEczve2rPk
- Closing keynote, Countermeasure 2016 (this exact deck):
https://www.youtube.com/watch?v=1jQP1FTnd8Q

[I would also like to clarify that none of the tweets/quotes in the slides are used as examples of badness (other than the @BritishGasHelp one maybe). They simply help illustrate a particular theme. And the slides about age at the beginning are just me poking fun at myself for turning 40 -- nothing more nothing less.]

chriseng

November 18, 2016
Tweet

More Decks by chriseng

See All by chriseng
Security Champions: How to Build an Alliance with Developers
chriseng
0
570

Other Decks in Technology

See All in Technology
デュアルトラックアジャイルとの向き合い方
onk
PRO
3
4.7k
Cloudflare_MeetUp_Sapporo_KickOff.pdf
taketakekaho
1
100
Oracle Exadata Database Service on [email protected] ([email protected]) - UI スクリーン・キャプチャ集
oracle4engineer
PRO
0
280
マネジメント3.0モデル入門(120分版)
takufujii
11
2.6k
CSS-in-JS は本当にもうだめなのか?
you5805
1
960
MSPサービスを支えるIaCのこれまでとこれから
sbtechnight
PRO
0
340
様々な環境へコマンドラインツールを提供する上での苦労とその対策 / YAPC::Kyoto 2023
konboi
0
110
学びが形になる!〜DeNAで6年間プロダクト開発に携わって学んだこと〜
dena_tech
PRO
0
300
Kafka Consumers at Naver
dongjin
0
170
AmebaにおけるQAコスト改善施策〜テスト項目の整理とAutify for Mobileによる自動化
sosuiiii
0
170
Finally_I_can_kichijojipm32
kaznishi
0
140
ChatGPTにR言語を教えてもらう(仮)
doradora09
1
130

Featured

See All Featured
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
128
8.8k
Designing Experiences People Love
moore
130
22k
A Modern Web Designer's Workflow
chriscoyier
689
180k
Rebuilding a faster, lazier Slack
samanthasiow
69
7.6k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
22
1.7k
Support Driven Design
roundedbygravity
88
8.9k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
15
1.3k
Adopting Sorbet at Scale
ufuk
65
7.9k

Transcript

  1. Time to Grow Up:
    Counterproductive
    Security Behaviors
    That Must End
    Chris Eng
    Countermeasure
    November 18, 2016
    @chriseng

    View Slide

  2. “A person who has not made
    his great contribution to
    science before the age of 30
    will never do so.”
    — Albert Einstein

    View Slide

  3. “People under 35 are the
    people who make change
    happen. People over 45
    basically die in terms of new
    ideas.”
    — Vinod Khosla
    (co-founder, Sun Microsystems)

    View Slide

  4. Like models, hackers wear a
    lot of black, think they are
    more famous than they are,
    and their career effectively
    ends at age 30. Either way,
    upon entering one's third
    decade [sic], it is time to put
    down the disassembler and
    consider a relaxing job in
    management.
    http://pwnies.com/winners/

    View Slide

  5. Dino Dai Zovi
    How you know that you are old in
    infosec: you remember when you
    were trying to get the world to
    care about improving security.
    @dinodaizovi
    https://twitter.com/dinodaizovi/status/783863023257518080

    View Slide

  6. In lieu of the bio slide
    First computer: TI-99/4A
    First language: BASIC
    First software shipped:
    @stake WebProxy
    First modem: 1200 bps First security job: NSA
    First software cracked:
    “Skate or Die!” for PC
    First keynote: right now
    http://about.me/chriseng (if you insist on biographical info)

    View Slide

  7. View Slide

  8. Security industry,
    current state
    http://www.picturesinboxes.com/2014/09/04/superman-jerk/

    View Slide

  9. Your job today…

    View Slide

  10. Failure

    View Slide

  11. Self-portrait of
    security industry,
    ca. 2016

    View Slide

  12. Infosec Taylor
    Swift
    “If it’s connected to the Internet,
    it’s already compromised.”
    (1) discourages security steps
    that work
    (2) defeatist
    (3) demonstrably false
    @SwiftOnSecurity
    https://twitter.com/SwiftOnSecurity/status/790703130321137664

    View Slide

  13. Jeff Jarmoc
    In a relatively short time we’ve
    taken a system built to resist
    destruction by nuclear weapons
    and made it vulnerable to
    toasters.
    @jjarmoc
    https://twitter.com/jjarmoc/status/789637654711267328

    View Slide

  14. Casey Ellis
    So, it’s like boxing — but your
    goal is to stay in the ring for as
    long as possible until you lose.
    Sound fun?
    @caseyjohnellis
    https://twitter.com/caseyjohnellis/status/785685415583887362

    View Slide

  15. Consider doing differently
    Stop framing everything as
    failure
    Celebrate successes
    Avoid thinking in extremes Make useful suggestions
    Be honest about things we
    can do better

    View Slide

  16. Perfection or Nothing

    View Slide

  17. “Le mieux est l’ennemi du
    bien”
    (The best is the enemy of good)
    — Voltaire

    View Slide

  18. Martin Fisher
    There is a bizarre false binary that
    says if you aren’t “secure” you’re
    “failing”. It's frustrating.
    @armorguy
    https://twitter.com/armorguy/status/768797512354279425

    View Slide

  19. Darren Meyer
    If you’re a big enterprise then the
    security industry is your
    emotionally abusive spouse.
    @DarrenPMeyer
    (Slack DM, shared with permission)

    View Slide

  20. View Slide

  21. David Shaw
    There have been a lot of issues
    with OpenSSL, too, but you don’t
    see people recommending
    plaintext.
    @dshaw_
    https://twitter.com/dshaw_/status/758411021090336768

    View Slide

  22. Matt Suiche
    Exploiting vulnerabilities 2006
    versus 2016. Lots of mitigation
    had been put in place over the
    past 10 years.
    @msuiche
    https://twitter.com/msuiche/status/789072206554771456

    View Slide

  23. View Slide

  24. Halvar Flake
    Time-to-exploit went from a day
    15yrs ago to a week or so 10yrs
    ago to months now.
    @halvarflake
    https://twitter.com/halvarflake/status/789229987756969985

    View Slide

  25. Mark Dowd
    I need a montage to write one
    nowadays.
    @mdowd
    https://twitter.com/mdowd/status/789230539806871552

    View Slide

  26. Consider doing differently
    Beware false dichotomies
    Remember you’re allowed
    to iterate
    Apply the 80-20 rule (or 90-
    10, or whatever)

    View Slide

  27. Developers are…

    View Slide

  28. Stupid Developers

    View Slide

  29. John Wilander
    At #OWASPSummit: “Developers
    don't know shit about security”.
    Well, I got news. You don’t know
    shit about development.
    @johnwilander
    https://twitter.com/johnwilander/status/35031093161762816

    View Slide

  30. Developer priorities
    Functions and features Uptime
    Performance Maintainability
    Usability Security
    http://appsandsecurity.blogspot.com/2011/02/security-people-vs-developers.html

    View Slide

  31. Chris Eng
    We ended up finding the real
    “developer outreach” session. It
    had 4 people instead of 0!
    #OWASPSummit
    @chriseng
    https://twitter.com/chriseng/status/35701606616023040

    View Slide

  32. Christien Rioux
    Developer Myth: if it was hard to
    write it should be hard to exploit.
    Hacker Myth: if it was easy to
    exploit it should be easy to fix.
    @dildog
    https://twitter.com/dildog/status/665574124564058112

    View Slide

  33. View Slide

  34. “Instead of assuming that
    others share our principles, or
    trying to convince them to
    adopt ours, we ought to
    present our values as a
    means of pursuing theirs. It’s
    much easier to link our
    agendas to familiar values
    that people already hold.”

    View Slide

  35. Proof it works

    View Slide

  36. Consider doing differently
    Quit with the “developer
    fail”
    Learn about development
    process/workflow
    Call out your peers when
    they do it
    Understand your
    developers’ motivations

    View Slide

  37. Victim Blaming

    View Slide

  38. Just-World Hypothesis
    The idea that people need to
    believe one will get what one
    deserves so strongly that they
    will rationalize an inexplicable
    injustice by naming things the
    victim might have done to
    deserve it.
    https://psychcentral.com/encyclopedia/just-world-hypothesis/

    View Slide

  39. View Slide

  40. Katie Moussouris
    It’s like watching people be mad
    at cancer patients for not fighting
    hard enough.
    @k8em0
    (Twitter DM, shared with permission)

    View Slide

  41. “Blame is the enemy of safety.
    … Assume nobody comes to
    work to do a bad job.”
    http://www.apta.com/mc/rail/previous/2011/Presentations/N-Leveson-A-Systems-Approach-to-Safety.pdf

    View Slide

  42. View Slide

  43. Consider doing differently
    Stop being so gleeful about
    breaches
    Assume your people have
    good intentions
    Remember who the
    criminal is
    Look for systemic issues
    instead
    Empathy, not blame

    View Slide

  44. Dogma

    View Slide

  45. passwordistoostrong
    Warning: Your password policy
    must not contain more than 6
    bullet points.
    @PWTooStrong
    https://twitter.com/PWTooStrong/status/777929902993670146
    (also see http://password-shaming.tumblr.com)

    View Slide

  46. Clever analogy
    does not equal
    good advice
    (Twitter link redacted out of courtesy)

    View Slide

  47. Avi Douglen
    Really any kind of cargo cult “Best
    Practice”, without risk analysis.
    Prescribing solutions before
    understanding the problem.
    @sec_tigger
    https://twitter.com/sec_tigger/status/784081180589232128

    View Slide

  48. Wendy Nather
    Conventional wisdom in infosec
    assumes everyone has a
    standard set of pieces.
    Sometimes all you have to work
    with are 2 pawns and a penny.
    @RCISCwendy
    https://twitter.com/RCISCwendy/status/787378750631481344

    View Slide

  49. Rob Graham
    The problem in infosec is that few
    accept the important fact that
    security is a tradeoff: effort spent
    on security means [effort not]
    spent elsewhere.
    @ErrataRob
    https://twitter.com/ErrataRob/status/787913823135076352

    View Slide

  50. Pwn All The
    Things
    Spending any seconds at all on
    “weak SSL ciphers” when your
    website is still full of SQL
    injections.
    @pwnallthethings
    (Twitter DM, shared with permission)

    View Slide

  51. “Basically, you’re either dealing
    with Mossad or not-Mossad. If
    your adversary is the Mossad,
    YOU’RE GONNA DIE AND
    THERE’S NOTHING THAT YOU
    CAN DO ABOUT IT. The
    Mossad is not intimidated by
    the fact that you employ
    https://.”
    http://scholar.harvard.edu/files/mickens/files/thisworldofours.pdf

    View Slide

  52. “Obscurity as a layer can be
    used to enhance real security
    that already exists.”
    https://danielmiessler.com/study/security-by-obscurity/#gs.H=fo=_w

    View Slide

  53. USENIX Security
    Happy 25th Anniversary USENIX
    Security Symposium! Hope to see
    everyone again at the 26th!
    #sec16
    @USENIXSecurity
    https://twitter.com/USENIXSecurity/status/764220203525865473

    View Slide

  54. View Slide

  55. Wendy Nather
    Try saying this: “This security
    choice doesn't look good to me,
    but I don't know all the internal
    risk analysis that went into it.”
    @RCISCwendy
    https://twitter.com/RCISCwendy/status/764594565617627136

    View Slide

  56. Consider doing differently
    Resist the urge to present
    dogma as “best practices”
    Remember that security
    decisions are tradeoffs
    Avoid the phrase “best
    practices” whenever
    possible
    Don’t rush to judgment

    View Slide

  57. Hacker Cred

    View Slide

  58. Shawn Moyer
    The aggressiveness by which
    someone self identifies as a
    hacker is almost always inversely
    proportional to how much they
    are one.
    @shawnmoyer
    https://twitter.com/shawnmoyer/status/775756753644449792

    View Slide

  59. https://www.flickr.com/photos/digitalgamemuseum/6120468075/ (CC BY 2.0)

    View Slide

  60. Peter Pan Syndrome
    (not officially a DSM disorder)

    View Slide

  61. Hey, y’all
    http://www.businessinsider.com/22-maps-that-show-the-deepest-linguistic-conflicts-in-america-2013-6

    View Slide

  62. Embracing the stereotypical
    hacker mystique as a means
    of signaling “eliteness”
    (i.e. group membership)

    View Slide

  63. View Slide

  64. Consider doing differently
    Act like adults Pragmatism, not paranoia
    Be humble
    Help us all get taken more
    seriously
    Think about how you’re
    being perceived

    View Slide

  65. And More…
    Squirrels, thought leadership, stupid users, and sexism

    View Slide

  66. Alex Stamos
    Not a single sample [from
    Operation Manul]...
    employed a 0-day.
    @alexstamos
    https://twitter.com/alexstamos/status/761264871778365443

    View Slide

  67. 99% of attempted attacks
    impacted vulnerabilities for
    which an update was
    available. Or, put differently,
    0-day vulnerabilities were
    barely relevant in the overall
    picture.
    https://blogs.technet.microsoft.com/mmpc/2011/10/10/new-microsoft-security-intelligence-report-volume-11-now-available/

    View Slide

  68. Dave Aitel
    There's a dichotomy of things
    that are easy to scan for and
    things that are actually risky, and
    they are very different sets.
    POODLE is only really useful to
    the NSA.
    — Dave Aitel
    S4x16 Keynote, January 2016
    @daveaitel
    https://www.youtube.com/watch?v=p1zSlUBfSUg

    View Slide

  69. Jayson Street
    You’re not a rockstar. You’re a
    dentist. Get over yourself.
    @jaysonstreet
    https://twitter.com/RCISCwendy/status/790648162142871553 (Wendy’s tweet, Jayson’s quote)

    View Slide

  70. Chris Eng
    Remember #RSAC
    #thoughtleaders, ask me for a
    ribbon... if you qualify (i.e. you've
    ever had a thought). :-)
    @chriseng
    https://twitter.com/chriseng/status/704143336290930689
    http://tiny.cc/thoughtleader (n.b. some cultural references outdated)

    View Slide

  71. John Bellomy
    Engineers don't let engineers
    design user interfaces.
    @cowbs
    https://twitter.com/cowbs/status/516045565847535616

    View Slide

  72. British Gas Help
    We'd lose our security certificate
    if we allowed pasting. It could
    leave us open to a “brute force”
    attack. Thanks ^Steve
    @BritishGasHelp
    https://twitter.com/BritishGasHelp/status/463619139220021248

    View Slide

  73. Adrienne Porter
    Felt
    My sister mistook Chrome’s red
    lock icon for a red purse. And you
    know what... she's totally right. So.
    Goddamn.
    @__apf__
    https://twitter.com/__apf__/status/634858452309831680

    View Slide

  74. Arne Roomann-
    Kurrik
    Next time you talk about trying to
    design something so simple your
    mother could use it try using a
    sewing machine you
    condescending shit.
    @kurrik
    https://twitter.com/kurrik/status/786395581237170176

    View Slide

  75. View Slide

  76. View Slide

  77. The Persister is dedicated, observant,
    and conscientious. They believe that
    values are essential virtues. They are
    motivated by recognition of their
    convictions.
    As Persisters experience pressure and
    distress, they notice faults in others.
    They notice more of what is wrong
    than what is right. They may go on the
    attack, preaching to others from a
    strong belief system in a self-righteous
    and condescending manner.

    View Slide

  78. View Slide

  79. We talked about some things
    Failure Hacker cred
    Perfection or nothing Squirrels
    Dogma Sexism
    Victim blaming Stupid users
    Stupid developers Thought leadership

    View Slide