Transvasive Security

the human factor

Site Updates

Today I completed some long overdue maintenance for – a number of links were broken due to a prior migration, and general churning of the internet. All links have been fixed, except for links that have permanently broken, which were left as-is for posterity. All assets stored locally on the site are working, please contact me if you find issues.

AppSec USA 2012: Functional Security Requirements using Behavioral Security Modeling

I spoke today at OWASP AppSec USA on “Building Predictable Systems using Behavioral Security Modeling: Functional Security Requirements”. Although Karl Brophey was not able to join me, he was there in spirit. The talk was an updated version of our presentation at Secure360 earlier this year.

Here is a copy of the slides from the talk. OWASP will be posting a free video as well (thanks!) and I’ll add a link when that becomes available. Below is a the abstract and link to the white paper we wrote, which explains the ideas presented in the talk in greater detail.


Defining functional security requirements is a key component of Behavioral Security Modeling, a method to improve security through accurately modeling human/information interactions in social terms. The paper proposes a practical, SDLC agnostic method for gathering functional security requirements by establishing limits on interactions through a series of questions to identify, clarify, and uncover hidden constraints. Five categories of constraints are presented, along with advice and “requirement patterns” to facilitate discussions with stakeholders and translate business needs into unambiguous security requirements. General advice on improving constraints, implementation considerations, security actions, quality assurance, and documenting post conditions are also discussed.


Behavioral Security Modeling: Functional Security Requirements

Musings from the MN Cyber Security Summit

I didn’t get much from the two morning talks given by two of the sponsors, although the discussion on fuzzing from Codenomicon was new to at least one person I spoke to, and I did like Mikko Varpiola’s observation that the barrier to entry for cybercrime is generally quite low.

Tina Meier, of the Megan Meier Foundation, spoke over lunch about cyberbullying and related issues – as you may recall, Tina’s daughter Megan committed suicide after a cyberbullying incident involving a fake identity created with the help of an adult neighbor. It’s a sad story, one that found me reflecting on how the easy anonymity, deception, and social distance created by the internet can increase both the likelihood and impact of bullying behavior. How do we teach people how information works? That “on the Internet, nobody knows you’re a dog,” and that once posted or emailed, information can never really be recalled or removed, and can easily be made public?

The day was rounded out by a good panel on how to turn research into innovation, with thoughts on establishing MN as a center for cyber security, much as it is for the medical device industry. The final talk by Patrick Reidy, the current CISO of the FBI was the highlight of the day for me. Patrick made some excellent points about APT – that it’s an intelligence effort that should be addressed with counterintelligence, covered insider threat (creative ways of spotting malicious insiders), and focused on people more so than the technology, actually using the phrase “positive social engineering!” In one example, by asking users to confirm that a risky action was appropriate (surfing to a file sharing website, like Google Docs), the FBI reduced policy violations by 97% in three months.

Day 2 kicked off with a presentation on the Multi-State MS-ISAC, followed by an excellent prezo given by Nick Selby, a police officer and member of the 451 Group, on what cyber intelligence is, and how & why you would want to build a cyber intelligence function. As Nick says, “intelligence is not sexy,” and is more about knowing what information to throw away than what information to collect. The talk included other quotable moments, such as “Policy is set by throwing knives in the dark,” referring to BYOD/mobile. I would recommend you check out his site, Police-Led Intelligence.

Over lunch a panel discussed the National Strategy for Trusted Identities in Cyberspace (NSTIC), followed by a CISO panel on information sharing. The CISO panel was most interesting to me when I asked about sharing “security failures” – there was none, really. For me, this goes to the heart of the incident-sharing problem: incidents are not failures: they’re cases where the bad guys won a battle but not the war. Certainly companies’ negligence can contribute to incidents, but apart from that, it’s not really their fault they got hacked. As an industry we need to do a better job of not blaming the victim and accepting that incidents WILL happen, and that our job is to manage the impact to an acceptable level.

Finally, at the end of the panel discussion and also mentioned by the final speaker, Mark Weatherford, was the need to develop more cyber security professionals- cyber security unemployment is either zero or negative right now, depending on how you look at it, and the consensus was that we need to reach all the way down to the high school level with our recruitment efforts.

All in all, it was a good two days, and I’ll likely attend next year. I’m not sure I’d recommend it for out-of-state folks, but if you live in the region, it’s a worthwhile conference.

not included in the original post: link to the Cyber Security Summit