Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Time to Grow Up: Counterproductive Security Behaviors That Must End

chriseng
November 18, 2016

Time to Grow Up: Counterproductive Security Behaviors That Must End

You’ve heard it all before: “The security industry has failed.” “Developers just don’t care.” “They deserved to be breached.” These and many other overused themes are promulgated by security practitioners at conferences, in social media, and worst of all, in their day jobs. Security practitioners, particularly those new to the industry, regurgitate the same counterproductive ideas and behaviors to the extent they have become clichés. This ultimately damages our collective credibility and creates unnecessary barriers to what we are trying to accomplish. We often lack empathy and pragmatism, reverting to stereotypical one-dimensional attitudes rather than focusing on the positive outcomes we are trying to achieve. We are, at times, caricatures of ourselves. In this presentation, we will take a light-hearted look at many of these problematic themes and discuss how we as security professionals can do better.

The slides are not that useful without the narration. Here are a couple of videos.

- Closing keynote, Kaspersky Security Analyst Summit 2017 (a more concise version of this deck, which I like much better):
https://www.youtube.com/watch?v=amEczve2rPk
- Closing keynote, Countermeasure 2016 (this exact deck):
https://www.youtube.com/watch?v=1jQP1FTnd8Q

[I would also like to clarify that none of the tweets/quotes in the slides are used as examples of badness (other than the @BritishGasHelp one maybe). They simply help illustrate a particular theme. And the slides about age at the beginning are just me poking fun at myself for turning 40 -- nothing more nothing less.]

chriseng

November 18, 2016
Tweet

More Decks by chriseng

Other Decks in Technology

Transcript

  1. Time to Grow Up: Counterproductive Security Behaviors That Must End

    Chris Eng Countermeasure November 18, 2016 @chriseng
  2. “A person who has not made his great contribution to

    science before the age of 30 will never do so.” — Albert Einstein
  3. “People under 35 are the people who make change happen.

    People over 45 basically die in terms of new ideas.” — Vinod Khosla (co-founder, Sun Microsystems)
  4. Like models, hackers wear a lot of black, think they

    are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade [sic], it is time to put down the disassembler and consider a relaxing job in management. http://pwnies.com/winners/
  5. Dino Dai Zovi How you know that you are old

    in infosec: you remember when you were trying to get the world to care about improving security. @dinodaizovi https://twitter.com/dinodaizovi/status/783863023257518080
  6. In lieu of the bio slide First computer: TI-99/4A First

    language: BASIC First software shipped: @stake WebProxy First modem: 1200 bps First security job: NSA First software cracked: “Skate or Die!” for PC First keynote: right now http://about.me/chriseng (if you insist on biographical info)
  7. Infosec Taylor Swift “If it’s connected to the Internet, it’s

    already compromised.” (1) discourages security steps that work (2) defeatist (3) demonstrably false @SwiftOnSecurity https://twitter.com/SwiftOnSecurity/status/790703130321137664
  8. Jeff Jarmoc In a relatively short time we’ve taken a

    system built to resist destruction by nuclear weapons and made it vulnerable to toasters. @jjarmoc https://twitter.com/jjarmoc/status/789637654711267328
  9. Casey Ellis So, it’s like boxing — but your goal

    is to stay in the ring for as long as possible until you lose. Sound fun? @caseyjohnellis https://twitter.com/caseyjohnellis/status/785685415583887362
  10. Consider doing differently Stop framing everything as failure Celebrate successes

    Avoid thinking in extremes Make useful suggestions Be honest about things we can do better
  11. Martin Fisher There is a bizarre false binary that says

    if you aren’t “secure” you’re “failing”. It's frustrating. @armorguy https://twitter.com/armorguy/status/768797512354279425
  12. Darren Meyer If you’re a big enterprise then the security

    industry is your emotionally abusive spouse. @DarrenPMeyer (Slack DM, shared with permission)
  13. David Shaw There have been a lot of issues with

    OpenSSL, too, but you don’t see people recommending plaintext. @dshaw_ https://twitter.com/dshaw_/status/758411021090336768
  14. Matt Suiche Exploiting vulnerabilities 2006 versus 2016. Lots of mitigation

    had been put in place over the past 10 years. @msuiche https://twitter.com/msuiche/status/789072206554771456
  15. Halvar Flake Time-to-exploit went from a day 15yrs ago to

    a week or so 10yrs ago to months now. @halvarflake https://twitter.com/halvarflake/status/789229987756969985
  16. Mark Dowd I need a montage to write one nowadays.

    @mdowd https://twitter.com/mdowd/status/789230539806871552
  17. Consider doing differently Beware false dichotomies Remember you’re allowed to

    iterate Apply the 80-20 rule (or 90- 10, or whatever)
  18. John Wilander At #OWASPSummit: “Developers don't know shit about security”.

    Well, I got news. You don’t know shit about development. @johnwilander https://twitter.com/johnwilander/status/35031093161762816
  19. Developer priorities Functions and features Uptime Performance Maintainability Usability Security

    http://appsandsecurity.blogspot.com/2011/02/security-people-vs-developers.html
  20. Chris Eng We ended up finding the real “developer outreach”

    session. It had 4 people instead of 0! #OWASPSummit @chriseng https://twitter.com/chriseng/status/35701606616023040
  21. Christien Rioux Developer Myth: if it was hard to write

    it should be hard to exploit. Hacker Myth: if it was easy to exploit it should be easy to fix. @dildog https://twitter.com/dildog/status/665574124564058112
  22. “Instead of assuming that others share our principles, or trying

    to convince them to adopt ours, we ought to present our values as a means of pursuing theirs. It’s much easier to link our agendas to familiar values that people already hold.”
  23. Consider doing differently Quit with the “developer fail” Learn about

    development process/workflow Call out your peers when they do it Understand your developers’ motivations
  24. Just-World Hypothesis The idea that people need to believe one

    will get what one deserves so strongly that they will rationalize an inexplicable injustice by naming things the victim might have done to deserve it. https://psychcentral.com/encyclopedia/just-world-hypothesis/
  25. Katie Moussouris It’s like watching people be mad at cancer

    patients for not fighting hard enough. @k8em0 (Twitter DM, shared with permission)
  26. “Blame is the enemy of safety. … Assume nobody comes

    to work to do a bad job.” http://www.apta.com/mc/rail/previous/2011/Presentations/N-Leveson-A-Systems-Approach-to-Safety.pdf
  27. Consider doing differently Stop being so gleeful about breaches Assume

    your people have good intentions Remember who the criminal is Look for systemic issues instead Empathy, not blame
  28. passwordistoostrong Warning: Your password policy must not contain more than

    6 bullet points. @PWTooStrong https://twitter.com/PWTooStrong/status/777929902993670146 (also see http://password-shaming.tumblr.com)
  29. Avi Douglen Really any kind of cargo cult “Best Practice”,

    without risk analysis. Prescribing solutions before understanding the problem. @sec_tigger https://twitter.com/sec_tigger/status/784081180589232128
  30. Wendy Nather Conventional wisdom in infosec assumes everyone has a

    standard set of pieces. Sometimes all you have to work with are 2 pawns and a penny. @RCISCwendy https://twitter.com/RCISCwendy/status/787378750631481344
  31. Rob Graham The problem in infosec is that few accept

    the important fact that security is a tradeoff: effort spent on security means [effort not] spent elsewhere. @ErrataRob https://twitter.com/ErrataRob/status/787913823135076352
  32. Pwn All The Things Spending any seconds at all on

    “weak SSL ciphers” when your website is still full of SQL injections. @pwnallthethings (Twitter DM, shared with permission)
  33. “Basically, you’re either dealing with Mossad or not-Mossad. If your

    adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://.” http://scholar.harvard.edu/files/mickens/files/thisworldofours.pdf
  34. “Obscurity as a layer can be used to enhance real

    security that already exists.” https://danielmiessler.com/study/security-by-obscurity/#gs.H=fo=_w
  35. USENIX Security Happy 25th Anniversary USENIX Security Symposium! Hope to

    see everyone again at the 26th! #sec16 @USENIXSecurity https://twitter.com/USENIXSecurity/status/764220203525865473
  36. Wendy Nather Try saying this: “This security choice doesn't look

    good to me, but I don't know all the internal risk analysis that went into it.” @RCISCwendy https://twitter.com/RCISCwendy/status/764594565617627136
  37. Consider doing differently Resist the urge to present dogma as

    “best practices” Remember that security decisions are tradeoffs Avoid the phrase “best practices” whenever possible Don’t rush to judgment
  38. Shawn Moyer The aggressiveness by which someone self identifies as

    a hacker is almost always inversely proportional to how much they are one. @shawnmoyer https://twitter.com/shawnmoyer/status/775756753644449792
  39. Consider doing differently Act like adults Pragmatism, not paranoia Be

    humble Help us all get taken more seriously Think about how you’re being perceived
  40. Alex Stamos Not a single sample [from Operation Manul]... employed

    a 0-day. @alexstamos https://twitter.com/alexstamos/status/761264871778365443
  41. 99% of attempted attacks impacted vulnerabilities for which an update

    was available. Or, put differently, 0-day vulnerabilities were barely relevant in the overall picture. https://blogs.technet.microsoft.com/mmpc/2011/10/10/new-microsoft-security-intelligence-report-volume-11-now-available/
  42. Dave Aitel There's a dichotomy of things that are easy

    to scan for and things that are actually risky, and they are very different sets. POODLE is only really useful to the NSA. — Dave Aitel S4x16 Keynote, January 2016 @daveaitel https://www.youtube.com/watch?v=p1zSlUBfSUg
  43. Jayson Street You’re not a rockstar. You’re a dentist. Get

    over yourself. @jaysonstreet https://twitter.com/RCISCwendy/status/790648162142871553 (Wendy’s tweet, Jayson’s quote)
  44. Chris Eng Remember #RSAC #thoughtleaders, ask me for a ribbon...

    if you qualify (i.e. you've ever had a thought). :-) @chriseng https://twitter.com/chriseng/status/704143336290930689 http://tiny.cc/thoughtleader (n.b. some cultural references outdated)
  45. John Bellomy Engineers don't let engineers design user interfaces. @cowbs

    https://twitter.com/cowbs/status/516045565847535616
  46. British Gas Help We'd lose our security certificate if we

    allowed pasting. It could leave us open to a “brute force” attack. Thanks ^Steve @BritishGasHelp https://twitter.com/BritishGasHelp/status/463619139220021248
  47. Adrienne Porter Felt My sister mistook Chrome’s red lock icon

    for a red purse. And you know what... she's totally right. So. Goddamn. @__apf__ https://twitter.com/__apf__/status/634858452309831680
  48. Arne Roomann- Kurrik Next time you talk about trying to

    design something so simple your mother could use it try using a sewing machine you condescending shit. @kurrik https://twitter.com/kurrik/status/786395581237170176
  49. The Persister is dedicated, observant, and conscientious. They believe that

    values are essential virtues. They are motivated by recognition of their convictions. As Persisters experience pressure and distress, they notice faults in others. They notice more of what is wrong than what is right. They may go on the attack, preaching to others from a strong belief system in a self-righteous and condescending manner.
  50. We talked about some things Failure Hacker cred Perfection or

    nothing Squirrels Dogma Sexism Victim blaming Stupid users Stupid developers Thought leadership