Transvasive Security

the human factor

Musings from the MN Cyber Security Summit

I didn’t get much from the two morning talks given by two of the sponsors, although the discussion on fuzzing from Codenomicon was new to at least one person I spoke to, and I did like Mikko Varpiola’s observation that the barrier to entry for cybercrime is generally quite low.

Tina Meier, of the Megan Meier Foundation, spoke over lunch about cyberbullying and related issues – as you may recall, Tina’s daughter Megan committed suicide after a cyberbullying incident involving a fake identity created with the help of an adult neighbor. It’s a sad story, one that found me reflecting on how the easy anonymity, deception, and social distance created by the internet can increase both the likelihood and impact of bullying behavior. How do we teach people how information works? That “on the Internet, nobody knows you’re a dog,” and that once posted or emailed, information can never really be recalled or removed, and can easily be made public?

The day was rounded out by a good panel on how to turn research into innovation, with thoughts on establishing MN as a center for cyber security, much as it is for the medical device industry. The final talk by Patrick Reidy, the current CISO of the FBI was the highlight of the day for me. Patrick made some excellent points about APT – that it’s an intelligence effort that should be addressed with counterintelligence, covered insider threat (creative ways of spotting malicious insiders), and focused on people more so than the technology, actually using the phrase “positive social engineering!” In one example, by asking users to confirm that a risky action was appropriate (surfing to a file sharing website, like Google Docs), the FBI reduced policy violations by 97% in three months.

Day 2 kicked off with a presentation on the Multi-State MS-ISAC, followed by an excellent prezo given by Nick Selby, a police officer and member of the 451 Group, on what cyber intelligence is, and how & why you would want to build a cyber intelligence function. As Nick says, “intelligence is not sexy,” and is more about knowing what information to throw away than what information to collect. The talk included other quotable moments, such as “Policy is set by throwing knives in the dark,” referring to BYOD/mobile. I would recommend you check out his site, Police-Led Intelligence.

Over lunch a panel discussed the National Strategy for Trusted Identities in Cyberspace (NSTIC), followed by a CISO panel on information sharing. The CISO panel was most interesting to me when I asked about sharing “security failures” – there was none, really. For me, this goes to the heart of the incident-sharing problem: incidents are not failures: they’re cases where the bad guys won a battle but not the war. Certainly companies’ negligence can contribute to incidents, but apart from that, it’s not really their fault they got hacked. As an industry we need to do a better job of not blaming the victim and accepting that incidents WILL happen, and that our job is to manage the impact to an acceptable level.

Finally, at the end of the panel discussion and also mentioned by the final speaker, Mark Weatherford, was the need to develop more cyber security professionals- cyber security unemployment is either zero or negative right now, depending on how you look at it, and the consensus was that we need to reach all the way down to the high school level with our recruitment efforts.

All in all, it was a good two days, and I’ll likely attend next year. I’m not sure I’d recommend it for out-of-state folks, but if you live in the region, it’s a worthwhile conference.

not included in the original post: link to the Cyber Security Summit