Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Time to Grow Up: Counterproductive Security Behaviors That Must End

chriseng
November 18, 2016

Time to Grow Up: Counterproductive Security Behaviors That Must End

You’ve heard it all before: “The security industry has failed.” “Developers just don’t care.” “They deserved to be breached.” These and many other overused themes are promulgated by security practitioners at conferences, in social media, and worst of all, in their day jobs. Security practitioners, particularly those new to the industry, regurgitate the same counterproductive ideas and behaviors to the extent they have become clichés. This ultimately damages our collective credibility and creates unnecessary barriers to what we are trying to accomplish. We often lack empathy and pragmatism, reverting to stereotypical one-dimensional attitudes rather than focusing on the positive outcomes we are trying to achieve. We are, at times, caricatures of ourselves. In this presentation, we will take a light-hearted look at many of these problematic themes and discuss how we as security professionals can do better.

The slides are not that useful without the narration. Here are a couple of videos.

- Closing keynote, Kaspersky Security Analyst Summit 2017 (a more concise version of this deck, which I like much better):
https://www.youtube.com/watch?v=amEczve2rPk
- Closing keynote, Countermeasure 2016 (this exact deck):
https://www.youtube.com/watch?v=1jQP1FTnd8Q

[I would also like to clarify that none of the tweets/quotes in the slides are used as examples of badness (other than the @BritishGasHelp one maybe). They simply help illustrate a particular theme. And the slides about age at the beginning are just me poking fun at myself for turning 40 -- nothing more nothing less.]

chriseng

November 18, 2016
Tweet

More Decks by chriseng

Other Decks in Technology

Transcript

  1. Time to Grow Up:
    Counterproductive
    Security Behaviors
    That Must End
    Chris Eng
    Countermeasure
    November 18, 2016
    @chriseng

    View full-size slide

  2. “A person who has not made
    his great contribution to
    science before the age of 30
    will never do so.”
    — Albert Einstein

    View full-size slide

  3. “People under 35 are the
    people who make change
    happen. People over 45
    basically die in terms of new
    ideas.”
    — Vinod Khosla
    (co-founder, Sun Microsystems)

    View full-size slide

  4. Like models, hackers wear a
    lot of black, think they are
    more famous than they are,
    and their career effectively
    ends at age 30. Either way,
    upon entering one's third
    decade [sic], it is time to put
    down the disassembler and
    consider a relaxing job in
    management.
    http://pwnies.com/winners/

    View full-size slide

  5. Dino Dai Zovi
    How you know that you are old in
    infosec: you remember when you
    were trying to get the world to
    care about improving security.
    @dinodaizovi
    https://twitter.com/dinodaizovi/status/783863023257518080

    View full-size slide

  6. In lieu of the bio slide
    First computer: TI-99/4A
    First language: BASIC
    First software shipped:
    @stake WebProxy
    First modem: 1200 bps First security job: NSA
    First software cracked:
    “Skate or Die!” for PC
    First keynote: right now
    http://about.me/chriseng (if you insist on biographical info)

    View full-size slide

  7. Security industry,
    current state
    http://www.picturesinboxes.com/2014/09/04/superman-jerk/

    View full-size slide

  8. Your job today…

    View full-size slide

  9. Self-portrait of
    security industry,
    ca. 2016

    View full-size slide

  10. Infosec Taylor
    Swift
    “If it’s connected to the Internet,
    it’s already compromised.”
    (1) discourages security steps
    that work
    (2) defeatist
    (3) demonstrably false
    @SwiftOnSecurity
    https://twitter.com/SwiftOnSecurity/status/790703130321137664

    View full-size slide

  11. Jeff Jarmoc
    In a relatively short time we’ve
    taken a system built to resist
    destruction by nuclear weapons
    and made it vulnerable to
    toasters.
    @jjarmoc
    https://twitter.com/jjarmoc/status/789637654711267328

    View full-size slide

  12. Casey Ellis
    So, it’s like boxing — but your
    goal is to stay in the ring for as
    long as possible until you lose.
    Sound fun?
    @caseyjohnellis
    https://twitter.com/caseyjohnellis/status/785685415583887362

    View full-size slide

  13. Consider doing differently
    Stop framing everything as
    failure
    Celebrate successes
    Avoid thinking in extremes Make useful suggestions
    Be honest about things we
    can do better

    View full-size slide

  14. Perfection or Nothing

    View full-size slide

  15. “Le mieux est l’ennemi du
    bien”
    (The best is the enemy of good)
    — Voltaire

    View full-size slide

  16. Martin Fisher
    There is a bizarre false binary that
    says if you aren’t “secure” you’re
    “failing”. It's frustrating.
    @armorguy
    https://twitter.com/armorguy/status/768797512354279425

    View full-size slide

  17. Darren Meyer
    If you’re a big enterprise then the
    security industry is your
    emotionally abusive spouse.
    @DarrenPMeyer
    (Slack DM, shared with permission)

    View full-size slide

  18. David Shaw
    There have been a lot of issues
    with OpenSSL, too, but you don’t
    see people recommending
    plaintext.
    @dshaw_
    https://twitter.com/dshaw_/status/758411021090336768

    View full-size slide

  19. Matt Suiche
    Exploiting vulnerabilities 2006
    versus 2016. Lots of mitigation
    had been put in place over the
    past 10 years.
    @msuiche
    https://twitter.com/msuiche/status/789072206554771456

    View full-size slide

  20. Halvar Flake
    Time-to-exploit went from a day
    15yrs ago to a week or so 10yrs
    ago to months now.
    @halvarflake
    https://twitter.com/halvarflake/status/789229987756969985

    View full-size slide

  21. Mark Dowd
    I need a montage to write one
    nowadays.
    @mdowd
    https://twitter.com/mdowd/status/789230539806871552

    View full-size slide

  22. Consider doing differently
    Beware false dichotomies
    Remember you’re allowed
    to iterate
    Apply the 80-20 rule (or 90-
    10, or whatever)

    View full-size slide

  23. Developers are…

    View full-size slide

  24. Stupid Developers

    View full-size slide

  25. John Wilander
    At #OWASPSummit: “Developers
    don't know shit about security”.
    Well, I got news. You don’t know
    shit about development.
    @johnwilander
    https://twitter.com/johnwilander/status/35031093161762816

    View full-size slide

  26. Developer priorities
    Functions and features Uptime
    Performance Maintainability
    Usability Security
    http://appsandsecurity.blogspot.com/2011/02/security-people-vs-developers.html

    View full-size slide

  27. Chris Eng
    We ended up finding the real
    “developer outreach” session. It
    had 4 people instead of 0!
    #OWASPSummit
    @chriseng
    https://twitter.com/chriseng/status/35701606616023040

    View full-size slide

  28. Christien Rioux
    Developer Myth: if it was hard to
    write it should be hard to exploit.
    Hacker Myth: if it was easy to
    exploit it should be easy to fix.
    @dildog
    https://twitter.com/dildog/status/665574124564058112

    View full-size slide

  29. “Instead of assuming that
    others share our principles, or
    trying to convince them to
    adopt ours, we ought to
    present our values as a
    means of pursuing theirs. It’s
    much easier to link our
    agendas to familiar values
    that people already hold.”

    View full-size slide

  30. Proof it works

    View full-size slide

  31. Consider doing differently
    Quit with the “developer
    fail”
    Learn about development
    process/workflow
    Call out your peers when
    they do it
    Understand your
    developers’ motivations

    View full-size slide

  32. Victim Blaming

    View full-size slide

  33. Just-World Hypothesis
    The idea that people need to
    believe one will get what one
    deserves so strongly that they
    will rationalize an inexplicable
    injustice by naming things the
    victim might have done to
    deserve it.
    https://psychcentral.com/encyclopedia/just-world-hypothesis/

    View full-size slide

  34. Katie Moussouris
    It’s like watching people be mad
    at cancer patients for not fighting
    hard enough.
    @k8em0
    (Twitter DM, shared with permission)

    View full-size slide

  35. “Blame is the enemy of safety.
    … Assume nobody comes to
    work to do a bad job.”
    http://www.apta.com/mc/rail/previous/2011/Presentations/N-Leveson-A-Systems-Approach-to-Safety.pdf

    View full-size slide

  36. Consider doing differently
    Stop being so gleeful about
    breaches
    Assume your people have
    good intentions
    Remember who the
    criminal is
    Look for systemic issues
    instead
    Empathy, not blame

    View full-size slide

  37. passwordistoostrong
    Warning: Your password policy
    must not contain more than 6
    bullet points.
    @PWTooStrong
    https://twitter.com/PWTooStrong/status/777929902993670146
    (also see http://password-shaming.tumblr.com)

    View full-size slide

  38. Clever analogy
    does not equal
    good advice
    (Twitter link redacted out of courtesy)

    View full-size slide

  39. Avi Douglen
    Really any kind of cargo cult “Best
    Practice”, without risk analysis.
    Prescribing solutions before
    understanding the problem.
    @sec_tigger
    https://twitter.com/sec_tigger/status/784081180589232128

    View full-size slide

  40. Wendy Nather
    Conventional wisdom in infosec
    assumes everyone has a
    standard set of pieces.
    Sometimes all you have to work
    with are 2 pawns and a penny.
    @RCISCwendy
    https://twitter.com/RCISCwendy/status/787378750631481344

    View full-size slide

  41. Rob Graham
    The problem in infosec is that few
    accept the important fact that
    security is a tradeoff: effort spent
    on security means [effort not]
    spent elsewhere.
    @ErrataRob
    https://twitter.com/ErrataRob/status/787913823135076352

    View full-size slide

  42. Pwn All The
    Things
    Spending any seconds at all on
    “weak SSL ciphers” when your
    website is still full of SQL
    injections.
    @pwnallthethings
    (Twitter DM, shared with permission)

    View full-size slide

  43. “Basically, you’re either dealing
    with Mossad or not-Mossad. If
    your adversary is the Mossad,
    YOU’RE GONNA DIE AND
    THERE’S NOTHING THAT YOU
    CAN DO ABOUT IT. The
    Mossad is not intimidated by
    the fact that you employ
    https://.”
    http://scholar.harvard.edu/files/mickens/files/thisworldofours.pdf

    View full-size slide

  44. “Obscurity as a layer can be
    used to enhance real security
    that already exists.”
    https://danielmiessler.com/study/security-by-obscurity/#gs.H=fo=_w

    View full-size slide

  45. USENIX Security
    Happy 25th Anniversary USENIX
    Security Symposium! Hope to see
    everyone again at the 26th!
    #sec16
    @USENIXSecurity
    https://twitter.com/USENIXSecurity/status/764220203525865473

    View full-size slide

  46. Wendy Nather
    Try saying this: “This security
    choice doesn't look good to me,
    but I don't know all the internal
    risk analysis that went into it.”
    @RCISCwendy
    https://twitter.com/RCISCwendy/status/764594565617627136

    View full-size slide

  47. Consider doing differently
    Resist the urge to present
    dogma as “best practices”
    Remember that security
    decisions are tradeoffs
    Avoid the phrase “best
    practices” whenever
    possible
    Don’t rush to judgment

    View full-size slide

  48. Shawn Moyer
    The aggressiveness by which
    someone self identifies as a
    hacker is almost always inversely
    proportional to how much they
    are one.
    @shawnmoyer
    https://twitter.com/shawnmoyer/status/775756753644449792

    View full-size slide

  49. https://www.flickr.com/photos/digitalgamemuseum/6120468075/ (CC BY 2.0)

    View full-size slide

  50. Peter Pan Syndrome
    (not officially a DSM disorder)

    View full-size slide

  51. Hey, y’all
    http://www.businessinsider.com/22-maps-that-show-the-deepest-linguistic-conflicts-in-america-2013-6

    View full-size slide

  52. Embracing the stereotypical
    hacker mystique as a means
    of signaling “eliteness”
    (i.e. group membership)

    View full-size slide

  53. Consider doing differently
    Act like adults Pragmatism, not paranoia
    Be humble
    Help us all get taken more
    seriously
    Think about how you’re
    being perceived

    View full-size slide

  54. And More…
    Squirrels, thought leadership, stupid users, and sexism

    View full-size slide

  55. Alex Stamos
    Not a single sample [from
    Operation Manul]...
    employed a 0-day.
    @alexstamos
    https://twitter.com/alexstamos/status/761264871778365443

    View full-size slide

  56. 99% of attempted attacks
    impacted vulnerabilities for
    which an update was
    available. Or, put differently,
    0-day vulnerabilities were
    barely relevant in the overall
    picture.
    https://blogs.technet.microsoft.com/mmpc/2011/10/10/new-microsoft-security-intelligence-report-volume-11-now-available/

    View full-size slide

  57. Dave Aitel
    There's a dichotomy of things
    that are easy to scan for and
    things that are actually risky, and
    they are very different sets.
    POODLE is only really useful to
    the NSA.
    — Dave Aitel
    S4x16 Keynote, January 2016
    @daveaitel
    https://www.youtube.com/watch?v=p1zSlUBfSUg

    View full-size slide

  58. Jayson Street
    You’re not a rockstar. You’re a
    dentist. Get over yourself.
    @jaysonstreet
    https://twitter.com/RCISCwendy/status/790648162142871553 (Wendy’s tweet, Jayson’s quote)

    View full-size slide

  59. Chris Eng
    Remember #RSAC
    #thoughtleaders, ask me for a
    ribbon... if you qualify (i.e. you've
    ever had a thought). :-)
    @chriseng
    https://twitter.com/chriseng/status/704143336290930689
    http://tiny.cc/thoughtleader (n.b. some cultural references outdated)

    View full-size slide

  60. John Bellomy
    Engineers don't let engineers
    design user interfaces.
    @cowbs
    https://twitter.com/cowbs/status/516045565847535616

    View full-size slide

  61. British Gas Help
    We'd lose our security certificate
    if we allowed pasting. It could
    leave us open to a “brute force”
    attack. Thanks ^Steve
    @BritishGasHelp
    https://twitter.com/BritishGasHelp/status/463619139220021248

    View full-size slide

  62. Adrienne Porter
    Felt
    My sister mistook Chrome’s red
    lock icon for a red purse. And you
    know what... she's totally right. So.
    Goddamn.
    @__apf__
    https://twitter.com/__apf__/status/634858452309831680

    View full-size slide

  63. Arne Roomann-
    Kurrik
    Next time you talk about trying to
    design something so simple your
    mother could use it try using a
    sewing machine you
    condescending shit.
    @kurrik
    https://twitter.com/kurrik/status/786395581237170176

    View full-size slide

  64. The Persister is dedicated, observant,
    and conscientious. They believe that
    values are essential virtues. They are
    motivated by recognition of their
    convictions.
    As Persisters experience pressure and
    distress, they notice faults in others.
    They notice more of what is wrong
    than what is right. They may go on the
    attack, preaching to others from a
    strong belief system in a self-righteous
    and condescending manner.

    View full-size slide

  65. We talked about some things
    Failure Hacker cred
    Perfection or nothing Squirrels
    Dogma Sexism
    Victim blaming Stupid users
    Stupid developers Thought leadership

    View full-size slide