Tweet
Tweet

Slide 1

Slide 1 text

Time to Grow Up: Counterproductive Security Behaviors That Must End Chris Eng Countermeasure November 18, 2016 @chriseng

Slide 2

Slide 2 text

“A person who has not made his great contribution to science before the age of 30 will never do so.” — Albert Einstein

Slide 3

Slide 3 text

“People under 35 are the people who make change happen. People over 45 basically die in terms of new ideas.” — Vinod Khosla (co-founder, Sun Microsystems)

Slide 4

Slide 4 text

Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade [sic], it is time to put down the disassembler and consider a relaxing job in management. http://pwnies.com/winners/

Slide 5

Slide 5 text

Dino Dai Zovi How you know that you are old in infosec: you remember when you were trying to get the world to care about improving security. @dinodaizovi https://twitter.com/dinodaizovi/status/783863023257518080

Slide 6

Slide 6 text

In lieu of the bio slide First computer: TI-99/4A First language: BASIC First software shipped: @stake WebProxy First modem: 1200 bps First security job: NSA First software cracked: “Skate or Die!” for PC First keynote: right now http://about.me/chriseng (if you insist on biographical info)

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Security industry, current state http://www.picturesinboxes.com/2014/09/04/superman-jerk/

Slide 9

Slide 9 text

Your job today…

Slide 10

Slide 10 text

Failure

Slide 11

Slide 11 text

Self-portrait of security industry, ca. 2016

Slide 12

Slide 12 text

Infosec Taylor Swift “If it’s connected to the Internet, it’s already compromised.” (1) discourages security steps that work (2) defeatist (3) demonstrably false @SwiftOnSecurity https://twitter.com/SwiftOnSecurity/status/790703130321137664

Slide 13

Slide 13 text

Jeff Jarmoc In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters. @jjarmoc https://twitter.com/jjarmoc/status/789637654711267328

Slide 14

Slide 14 text

Casey Ellis So, it’s like boxing — but your goal is to stay in the ring for as long as possible until you lose. Sound fun? @caseyjohnellis https://twitter.com/caseyjohnellis/status/785685415583887362

Slide 15

Slide 15 text

Consider doing differently Stop framing everything as failure Celebrate successes Avoid thinking in extremes Make useful suggestions Be honest about things we can do better

Slide 16

Slide 16 text

Perfection or Nothing

Slide 17

Slide 17 text

“Le mieux est l’ennemi du bien” (The best is the enemy of good) — Voltaire

Slide 18

Slide 18 text

Martin Fisher There is a bizarre false binary that says if you aren’t “secure” you’re “failing”. It's frustrating. @armorguy https://twitter.com/armorguy/status/768797512354279425

Slide 19

Slide 19 text

Darren Meyer If you’re a big enterprise then the security industry is your emotionally abusive spouse. @DarrenPMeyer (Slack DM, shared with permission)

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

David Shaw There have been a lot of issues with OpenSSL, too, but you don’t see people recommending plaintext. @dshaw_ https://twitter.com/dshaw_/status/758411021090336768

Slide 22

Slide 22 text

Matt Suiche Exploiting vulnerabilities 2006 versus 2016. Lots of mitigation had been put in place over the past 10 years. @msuiche https://twitter.com/msuiche/status/789072206554771456

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

Halvar Flake Time-to-exploit went from a day 15yrs ago to a week or so 10yrs ago to months now. @halvarflake https://twitter.com/halvarflake/status/789229987756969985

Slide 25

Slide 25 text

Mark Dowd I need a montage to write one nowadays. @mdowd https://twitter.com/mdowd/status/789230539806871552

Slide 26

Slide 26 text

Consider doing differently Beware false dichotomies Remember you’re allowed to iterate Apply the 80-20 rule (or 90- 10, or whatever)

Slide 27

Slide 27 text

Developers are…

Slide 28

Slide 28 text

Stupid Developers

Slide 29

Slide 29 text

John Wilander At #OWASPSummit: “Developers don't know shit about security”. Well, I got news. You don’t know shit about development. @johnwilander https://twitter.com/johnwilander/status/35031093161762816

Slide 30

Slide 30 text

Developer priorities Functions and features Uptime Performance Maintainability Usability Security http://appsandsecurity.blogspot.com/2011/02/security-people-vs-developers.html

Slide 31

Slide 31 text

Chris Eng We ended up finding the real “developer outreach” session. It had 4 people instead of 0! #OWASPSummit @chriseng https://twitter.com/chriseng/status/35701606616023040

Slide 32

Slide 32 text

Christien Rioux Developer Myth: if it was hard to write it should be hard to exploit. Hacker Myth: if it was easy to exploit it should be easy to fix. @dildog https://twitter.com/dildog/status/665574124564058112

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

“Instead of assuming that others share our principles, or trying to convince them to adopt ours, we ought to present our values as a means of pursuing theirs. It’s much easier to link our agendas to familiar values that people already hold.”

Slide 35

Slide 35 text

Proof it works

Slide 36

Slide 36 text

Consider doing differently Quit with the “developer fail” Learn about development process/workflow Call out your peers when they do it Understand your developers’ motivations

Slide 37

Slide 37 text

Victim Blaming

Slide 38

Slide 38 text

Just-World Hypothesis The idea that people need to believe one will get what one deserves so strongly that they will rationalize an inexplicable injustice by naming things the victim might have done to deserve it. https://psychcentral.com/encyclopedia/just-world-hypothesis/

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

Katie Moussouris It’s like watching people be mad at cancer patients for not fighting hard enough. @k8em0 (Twitter DM, shared with permission)

Slide 41

Slide 41 text

“Blame is the enemy of safety. … Assume nobody comes to work to do a bad job.” http://www.apta.com/mc/rail/previous/2011/Presentations/N-Leveson-A-Systems-Approach-to-Safety.pdf

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

Consider doing differently Stop being so gleeful about breaches Assume your people have good intentions Remember who the criminal is Look for systemic issues instead Empathy, not blame

Slide 44

Slide 44 text

Dogma

Slide 45

Slide 45 text

passwordistoostrong Warning: Your password policy must not contain more than 6 bullet points. @PWTooStrong https://twitter.com/PWTooStrong/status/777929902993670146 (also see http://password-shaming.tumblr.com)

Slide 46

Slide 46 text

Clever analogy does not equal good advice (Twitter link redacted out of courtesy)

Slide 47

Slide 47 text

Avi Douglen Really any kind of cargo cult “Best Practice”, without risk analysis. Prescribing solutions before understanding the problem. @sec_tigger https://twitter.com/sec_tigger/status/784081180589232128

Slide 48

Slide 48 text

Wendy Nather Conventional wisdom in infosec assumes everyone has a standard set of pieces. Sometimes all you have to work with are 2 pawns and a penny. @RCISCwendy https://twitter.com/RCISCwendy/status/787378750631481344

Slide 49

Slide 49 text

Rob Graham The problem in infosec is that few accept the important fact that security is a tradeoff: effort spent on security means [effort not] spent elsewhere. @ErrataRob https://twitter.com/ErrataRob/status/787913823135076352

Slide 50

Slide 50 text

Pwn All The Things Spending any seconds at all on “weak SSL ciphers” when your website is still full of SQL injections. @pwnallthethings (Twitter DM, shared with permission)

Slide 51

Slide 51 text

“Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://.” http://scholar.harvard.edu/files/mickens/files/thisworldofours.pdf

Slide 52

Slide 52 text

“Obscurity as a layer can be used to enhance real security that already exists.” https://danielmiessler.com/study/security-by-obscurity/#gs.H=fo=_w

Slide 53

Slide 53 text

USENIX Security Happy 25th Anniversary USENIX Security Symposium! Hope to see everyone again at the 26th! #sec16 @USENIXSecurity https://twitter.com/USENIXSecurity/status/764220203525865473

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

Wendy Nather Try saying this: “This security choice doesn't look good to me, but I don't know all the internal risk analysis that went into it.” @RCISCwendy https://twitter.com/RCISCwendy/status/764594565617627136

Slide 56

Slide 56 text

Consider doing differently Resist the urge to present dogma as “best practices” Remember that security decisions are tradeoffs Avoid the phrase “best practices” whenever possible Don’t rush to judgment

Slide 57

Slide 57 text

Hacker Cred

Slide 58

Slide 58 text

Shawn Moyer The aggressiveness by which someone self identifies as a hacker is almost always inversely proportional to how much they are one. @shawnmoyer https://twitter.com/shawnmoyer/status/775756753644449792

Slide 59

Slide 59 text

https://www.flickr.com/photos/digitalgamemuseum/6120468075/ (CC BY 2.0)

Slide 60

Slide 60 text

Peter Pan Syndrome (not officially a DSM disorder)

Slide 61

Slide 61 text

Hey, y’all http://www.businessinsider.com/22-maps-that-show-the-deepest-linguistic-conflicts-in-america-2013-6

Slide 62

Slide 62 text

Embracing the stereotypical hacker mystique as a means of signaling “eliteness” (i.e. group membership)

Slide 63

Slide 63 text

No content

Slide 64

Slide 64 text

Consider doing differently Act like adults Pragmatism, not paranoia Be humble Help us all get taken more seriously Think about how you’re being perceived

Slide 65

Slide 65 text

And More… Squirrels, thought leadership, stupid users, and sexism

Slide 66

Slide 66 text

Alex Stamos Not a single sample [from Operation Manul]... employed a 0-day. @alexstamos https://twitter.com/alexstamos/status/761264871778365443

Slide 67

Slide 67 text

99% of attempted attacks impacted vulnerabilities for which an update was available. Or, put differently, 0-day vulnerabilities were barely relevant in the overall picture. https://blogs.technet.microsoft.com/mmpc/2011/10/10/new-microsoft-security-intelligence-report-volume-11-now-available/

Slide 68

Slide 68 text

Dave Aitel There's a dichotomy of things that are easy to scan for and things that are actually risky, and they are very different sets. POODLE is only really useful to the NSA. — Dave Aitel S4x16 Keynote, January 2016 @daveaitel https://www.youtube.com/watch?v=p1zSlUBfSUg

Slide 69

Slide 69 text

Jayson Street You’re not a rockstar. You’re a dentist. Get over yourself. @jaysonstreet https://twitter.com/RCISCwendy/status/790648162142871553 (Wendy’s tweet, Jayson’s quote)

Slide 70

Slide 70 text

Chris Eng Remember #RSAC #thoughtleaders, ask me for a ribbon... if you qualify (i.e. you've ever had a thought). :-) @chriseng https://twitter.com/chriseng/status/704143336290930689 http://tiny.cc/thoughtleader (n.b. some cultural references outdated)

Slide 71

Slide 71 text

John Bellomy Engineers don't let engineers design user interfaces. @cowbs https://twitter.com/cowbs/status/516045565847535616

Slide 72

Slide 72 text

British Gas Help We'd lose our security certificate if we allowed pasting. It could leave us open to a “brute force” attack. Thanks ^Steve @BritishGasHelp https://twitter.com/BritishGasHelp/status/463619139220021248

Slide 73

Slide 73 text

Adrienne Porter Felt My sister mistook Chrome’s red lock icon for a red purse. And you know what... she's totally right. So. Goddamn. @__apf__ https://twitter.com/__apf__/status/634858452309831680

Slide 74

Slide 74 text

Arne Roomann- Kurrik Next time you talk about trying to design something so simple your mother could use it try using a sewing machine you condescending shit. @kurrik https://twitter.com/kurrik/status/786395581237170176

Slide 75

Slide 75 text

No content

Slide 76

Slide 76 text

No content

Slide 77

Slide 77 text

The Persister is dedicated, observant, and conscientious. They believe that values are essential virtues. They are motivated by recognition of their convictions. As Persisters experience pressure and distress, they notice faults in others. They notice more of what is wrong than what is right. They may go on the attack, preaching to others from a strong belief system in a self-righteous and condescending manner.

Slide 78

Slide 78 text

No content

Slide 79

Slide 79 text

We talked about some things Failure Hacker cred Perfection or nothing Squirrels Dogma Sexism Victim blaming Stupid users Stupid developers Thought leadership