Keynote 3 – ‘Are we getting better?’ Why we don’t know. What can we do about it?
Joshua Corman, Director Akamai Technologies
Change is constant;
– Evolving compliance
– Evolving Threats
– Evolving Technology
– Evolving Business
– Evolving Economics
Historically most of our security time and budget went on understanding who is attacking us and how, and understanding our IT landscape. Now since the onset of so much legislation 50% of security time and budget is spent meeting regulations. In some companies this is closer to 100%. Why? Because the organisation might get hacked, but it will be fined if it fails an audit.
So in a world of ever increasing and evolving threats and increasingly complex systems our focus is diverted from true risk management and security.
Another reason to believe we are not getting better is that we are rapidly increasing our dependence on technology and software systems much more quickly than our ability to secure them e.g Insulin pumps have been hacked to deliver lethal doses, Microsoft Windows is now in some cars, we rely on web sites that are still regularly hacked, etc.
Are our challenges are not technical but cultural? For example the OWASP top 10 issues has basically never changed! Why have we not yet solved any of these issues?
Why is this?
– We have faith based security
– We need evidence based security
– However we have very little data and that we do have may not be for the genuinely most serious issues – we focus on what is visible, not importance.
– Drunks and Lampposts! – we (and vendors) use data to prop up their views and desired message, not to show the true picture in the same way a drunk uses a lamppost for cupport, not illumination.
Collection of thoughts presented;
– Vendors don’t need to be ahead of the bad guys, they just need to be ahead of the customer!
– We have and accept buggy software
– There is a lot of FUD (Fear Uncertainty and Doubt) and conversely Blind faith
– We had the chance to do cloud computing better, but are already having the same types of conversation as before..
– The security industry scores very high on the Maslow stress index..
– Most companies and CISOs cannot stop standard Metasploit attacks, if we cant stop ‘script kiddies’ how can we expect to stop ‘grown up’ attackers? – HD Moore’s law..
What can we do about it? (in order of importance);
– Pick one;
- Make excuses
- Make progress
– Build defensible infrastructures including rugged software
– Operational excellence – run IT well, understand what you have
– Situational awareness
Joshua has a very interesting blog covering these points and many others. This can be found here;
To summarise, Seek Knowledge, Make Progress, Collaborate with people, be unreasonable! J
Overall a great although sprawling and fast paced talk.
Keynote 4 – Trust, Security and Society
We as a species are very trusting, just having breakfast you effectively trust 1000s of people to have safely grown, prepared and server your food. Society wouldn’t function without trust. This is why we do security, security enables trust, and trust enables society.
There are two forms of trust –
– Personal when you know someone, and understand some of their likely motivations and expected actions.
– Impersonal, you trust / assume someone will perform tasks as expected – e.g. you trust a taxi driver to take you to the right place and not overcharge you (too much!)
In society we trust a lot of people and entities all the time to perform as expected and fulfil agreed actions. This trust is for individuals, things / organisations that are physically there, and much more abstract organisations / functions.
Conversely in any system like this people can ‘game’ the system and act in untrustworthy ways. Consider game theory and the prisoners dilemma. People can be ‘defectors’. However defecting only works if the defectors are not too successful, if defecting becomes too successful things, in this case society can collapse.
Security is how we keep the number of defectors to an acceptable level. This does not mean zero, as getting towards zero becomes prohibitively expensive.
So how do we do this? Societal pressures;
– Morals – mostly comes from within our own head
– Reputation – mostly comes from other people’s opinions of us
– Laws – ‘formalised reputation’ where laws are not just government type laws, this also includes expected behaviour within your company, expected behaviours within a group or team etc.
– Security systems
These pressures allow society to scale.
Society will use these pressures to find a balance / equilibrium between these pressures and defectors. Usually not explicitly, but as an example if there is a lot of crime people will expect more time and effort to go into policing, when crime is very low they will ask why spend so much on policing when we have all these other issues..
Technology makes society more complex and is leading us through a tie of great societal change.
– No matter how much societal pressure there is there will always be some defectors
– Increasing societal pressure is not always worth it
– We all defect at some times. No one is perfect.
– There are good and bad defectors and it can be hard to differentiate.
– Society needs defectors – we all benefit because some people don’t follow the norms..