Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Time to Grow Up: Counterproductive Security Behaviors That Must End

20b25a4e0db77fa2c02dd45ee9ba3eb1?s=47 chriseng
November 18, 2016

Time to Grow Up: Counterproductive Security Behaviors That Must End

You’ve heard it all before: “The security industry has failed.” “Developers just don’t care.” “They deserved to be breached.” These and many other overused themes are promulgated by security practitioners at conferences, in social media, and worst of all, in their day jobs. Security practitioners, particularly those new to the industry, regurgitate the same counterproductive ideas and behaviors to the extent they have become clichés. This ultimately damages our collective credibility and creates unnecessary barriers to what we are trying to accomplish. We often lack empathy and pragmatism, reverting to stereotypical one-dimensional attitudes rather than focusing on the positive outcomes we are trying to achieve. We are, at times, caricatures of ourselves. In this presentation, we will take a light-hearted look at many of these problematic themes and discuss how we as security professionals can do better.

The slides are not that useful without the narration. Here are a couple of videos.

- Closing keynote, Kaspersky Security Analyst Summit 2017 (a more concise version of this deck, which I like much better):
- Closing keynote, Countermeasure 2016 (this exact deck):

[I would also like to clarify that none of the tweets/quotes in the slides are used as examples of badness (other than the @BritishGasHelp one maybe). They simply help illustrate a particular theme. And the slides about age at the beginning are just me poking fun at myself for turning 40 -- nothing more nothing less.]



November 18, 2016


  1. Time to Grow Up: Counterproductive Security Behaviors That Must End

    Chris Eng Countermeasure November 18, 2016 @chriseng
  2. “A person who has not made his great contribution to

    science before the age of 30 will never do so.” — Albert Einstein
  3. “People under 35 are the people who make change happen.

    People over 45 basically die in terms of new ideas.” — Vinod Khosla (co-founder, Sun Microsystems)
  4. Like models, hackers wear a lot of black, think they

    are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade [sic], it is time to put down the disassembler and consider a relaxing job in management. http://pwnies.com/winners/
  5. Dino Dai Zovi How you know that you are old

    in infosec: you remember when you were trying to get the world to care about improving security. @dinodaizovi https://twitter.com/dinodaizovi/status/783863023257518080
  6. In lieu of the bio slide First computer: TI-99/4A First

    language: BASIC First software shipped: @stake WebProxy First modem: 1200 bps First security job: NSA First software cracked: “Skate or Die!” for PC First keynote: right now http://about.me/chriseng (if you insist on biographical info)
  7. None
  8. Security industry, current state http://www.picturesinboxes.com/2014/09/04/superman-jerk/

  9. Your job today…

  10. Failure

  11. Self-portrait of security industry, ca. 2016

  12. Infosec Taylor Swift “If it’s connected to the Internet, it’s

    already compromised.” (1) discourages security steps that work (2) defeatist (3) demonstrably false @SwiftOnSecurity https://twitter.com/SwiftOnSecurity/status/790703130321137664
  13. Jeff Jarmoc In a relatively short time we’ve taken a

    system built to resist destruction by nuclear weapons and made it vulnerable to toasters. @jjarmoc https://twitter.com/jjarmoc/status/789637654711267328
  14. Casey Ellis So, it’s like boxing — but your goal

    is to stay in the ring for as long as possible until you lose. Sound fun? @caseyjohnellis https://twitter.com/caseyjohnellis/status/785685415583887362
  15. Consider doing differently Stop framing everything as failure Celebrate successes

    Avoid thinking in extremes Make useful suggestions Be honest about things we can do better
  16. Perfection or Nothing

  17. “Le mieux est l’ennemi du bien” (The best is the

    enemy of good) — Voltaire
  18. Martin Fisher There is a bizarre false binary that says

    if you aren’t “secure” you’re “failing”. It's frustrating. @armorguy https://twitter.com/armorguy/status/768797512354279425
  19. Darren Meyer If you’re a big enterprise then the security

    industry is your emotionally abusive spouse. @DarrenPMeyer (Slack DM, shared with permission)
  20. None
  21. David Shaw There have been a lot of issues with

    OpenSSL, too, but you don’t see people recommending plaintext. @dshaw_ https://twitter.com/dshaw_/status/758411021090336768
  22. Matt Suiche Exploiting vulnerabilities 2006 versus 2016. Lots of mitigation

    had been put in place over the past 10 years. @msuiche https://twitter.com/msuiche/status/789072206554771456
  23. None
  24. Halvar Flake Time-to-exploit went from a day 15yrs ago to

    a week or so 10yrs ago to months now. @halvarflake https://twitter.com/halvarflake/status/789229987756969985
  25. Mark Dowd I need a montage to write one nowadays.

    @mdowd https://twitter.com/mdowd/status/789230539806871552
  26. Consider doing differently Beware false dichotomies Remember you’re allowed to

    iterate Apply the 80-20 rule (or 90- 10, or whatever)
  27. Developers are…

  28. Stupid Developers

  29. John Wilander At #OWASPSummit: “Developers don't know shit about security”.

    Well, I got news. You don’t know shit about development. @johnwilander https://twitter.com/johnwilander/status/35031093161762816
  30. Developer priorities Functions and features Uptime Performance Maintainability Usability Security

  31. Chris Eng We ended up finding the real “developer outreach”

    session. It had 4 people instead of 0! #OWASPSummit @chriseng https://twitter.com/chriseng/status/35701606616023040
  32. Christien Rioux Developer Myth: if it was hard to write

    it should be hard to exploit. Hacker Myth: if it was easy to exploit it should be easy to fix. @dildog https://twitter.com/dildog/status/665574124564058112
  33. None
  34. “Instead of assuming that others share our principles, or trying

    to convince them to adopt ours, we ought to present our values as a means of pursuing theirs. It’s much easier to link our agendas to familiar values that people already hold.”
  35. Proof it works

  36. Consider doing differently Quit with the “developer fail” Learn about

    development process/workflow Call out your peers when they do it Understand your developers’ motivations
  37. Victim Blaming

  38. Just-World Hypothesis The idea that people need to believe one

    will get what one deserves so strongly that they will rationalize an inexplicable injustice by naming things the victim might have done to deserve it. https://psychcentral.com/encyclopedia/just-world-hypothesis/
  39. None
  40. Katie Moussouris It’s like watching people be mad at cancer

    patients for not fighting hard enough. @k8em0 (Twitter DM, shared with permission)
  41. “Blame is the enemy of safety. … Assume nobody comes

    to work to do a bad job.” http://www.apta.com/mc/rail/previous/2011/Presentations/N-Leveson-A-Systems-Approach-to-Safety.pdf
  42. None
  43. Consider doing differently Stop being so gleeful about breaches Assume

    your people have good intentions Remember who the criminal is Look for systemic issues instead Empathy, not blame
  44. Dogma

  45. passwordistoostrong Warning: Your password policy must not contain more than

    6 bullet points. @PWTooStrong https://twitter.com/PWTooStrong/status/777929902993670146 (also see http://password-shaming.tumblr.com)
  46. Clever analogy does not equal good advice (Twitter link redacted

    out of courtesy)
  47. Avi Douglen Really any kind of cargo cult “Best Practice”,

    without risk analysis. Prescribing solutions before understanding the problem. @sec_tigger https://twitter.com/sec_tigger/status/784081180589232128
  48. Wendy Nather Conventional wisdom in infosec assumes everyone has a

    standard set of pieces. Sometimes all you have to work with are 2 pawns and a penny. @RCISCwendy https://twitter.com/RCISCwendy/status/787378750631481344
  49. Rob Graham The problem in infosec is that few accept

    the important fact that security is a tradeoff: effort spent on security means [effort not] spent elsewhere. @ErrataRob https://twitter.com/ErrataRob/status/787913823135076352
  50. Pwn All The Things Spending any seconds at all on

    “weak SSL ciphers” when your website is still full of SQL injections. @pwnallthethings (Twitter DM, shared with permission)
  51. “Basically, you’re either dealing with Mossad or not-Mossad. If your

    adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://.” http://scholar.harvard.edu/files/mickens/files/thisworldofours.pdf
  52. “Obscurity as a layer can be used to enhance real

    security that already exists.” https://danielmiessler.com/study/security-by-obscurity/#gs.H=fo=_w
  53. USENIX Security Happy 25th Anniversary USENIX Security Symposium! Hope to

    see everyone again at the 26th! #sec16 @USENIXSecurity https://twitter.com/USENIXSecurity/status/764220203525865473
  54. None
  55. Wendy Nather Try saying this: “This security choice doesn't look

    good to me, but I don't know all the internal risk analysis that went into it.” @RCISCwendy https://twitter.com/RCISCwendy/status/764594565617627136
  56. Consider doing differently Resist the urge to present dogma as

    “best practices” Remember that security decisions are tradeoffs Avoid the phrase “best practices” whenever possible Don’t rush to judgment
  57. Hacker Cred

  58. Shawn Moyer The aggressiveness by which someone self identifies as

    a hacker is almost always inversely proportional to how much they are one. @shawnmoyer https://twitter.com/shawnmoyer/status/775756753644449792
  59. https://www.flickr.com/photos/digitalgamemuseum/6120468075/ (CC BY 2.0)

  60. Peter Pan Syndrome (not officially a DSM disorder)

  61. Hey, y’all http://www.businessinsider.com/22-maps-that-show-the-deepest-linguistic-conflicts-in-america-2013-6

  62. Embracing the stereotypical hacker mystique as a means of signaling

    “eliteness” (i.e. group membership)
  63. None
  64. Consider doing differently Act like adults Pragmatism, not paranoia Be

    humble Help us all get taken more seriously Think about how you’re being perceived
  65. And More… Squirrels, thought leadership, stupid users, and sexism

  66. Alex Stamos Not a single sample [from Operation Manul]... employed

    a 0-day. @alexstamos https://twitter.com/alexstamos/status/761264871778365443
  67. 99% of attempted attacks impacted vulnerabilities for which an update

    was available. Or, put differently, 0-day vulnerabilities were barely relevant in the overall picture. https://blogs.technet.microsoft.com/mmpc/2011/10/10/new-microsoft-security-intelligence-report-volume-11-now-available/
  68. Dave Aitel There's a dichotomy of things that are easy

    to scan for and things that are actually risky, and they are very different sets. POODLE is only really useful to the NSA. — Dave Aitel S4x16 Keynote, January 2016 @daveaitel https://www.youtube.com/watch?v=p1zSlUBfSUg
  69. Jayson Street You’re not a rockstar. You’re a dentist. Get

    over yourself. @jaysonstreet https://twitter.com/RCISCwendy/status/790648162142871553 (Wendy’s tweet, Jayson’s quote)
  70. Chris Eng Remember #RSAC #thoughtleaders, ask me for a ribbon...

    if you qualify (i.e. you've ever had a thought). :-) @chriseng https://twitter.com/chriseng/status/704143336290930689 http://tiny.cc/thoughtleader (n.b. some cultural references outdated)
  71. John Bellomy Engineers don't let engineers design user interfaces. @cowbs

  72. British Gas Help We'd lose our security certificate if we

    allowed pasting. It could leave us open to a “brute force” attack. Thanks ^Steve @BritishGasHelp https://twitter.com/BritishGasHelp/status/463619139220021248
  73. Adrienne Porter Felt My sister mistook Chrome’s red lock icon

    for a red purse. And you know what... she's totally right. So. Goddamn. @__apf__ https://twitter.com/__apf__/status/634858452309831680
  74. Arne Roomann- Kurrik Next time you talk about trying to

    design something so simple your mother could use it try using a sewing machine you condescending shit. @kurrik https://twitter.com/kurrik/status/786395581237170176
  75. None
  76. None
  77. The Persister is dedicated, observant, and conscientious. They believe that

    values are essential virtues. They are motivated by recognition of their convictions. As Persisters experience pressure and distress, they notice faults in others. They notice more of what is wrong than what is right. They may go on the attack, preaching to others from a strong belief system in a self-righteous and condescending manner.
  78. None
  79. We talked about some things Failure Hacker cred Perfection or

    nothing Squirrels Dogma Sexism Victim blaming Stupid users Stupid developers Thought leadership