Today I completed some long overdue maintenance for
transvasive.com – a number of links were broken due to a
prior migration, and general churning of the internet. All links have
been fixed, except for links that have permanently broken, which were
left as-is for posterity. All assets stored locally on the site are
working, please contact me if you find issues.
Here is a copy of the slides from the talk. OWASP
will be posting a free video as well (thanks!) and I’ll add a link when
that becomes available. Below is a the abstract and link to the white
paper we wrote, which explains the ideas presented in the talk in
greater detail.
Abstract:
Defining functional security requirements is a key component of
Behavioral Security Modeling, a method to improve security through
accurately modeling human/information interactions in social terms. The
paper proposes a practical, SDLC agnostic method for gathering
functional security requirements by establishing limits on interactions
through a series of questions to identify, clarify, and uncover hidden
constraints. Five categories of constraints are presented, along with
advice and “requirement patterns” to facilitate discussions with
stakeholders and translate business needs into unambiguous security
requirements. General advice on improving constraints, implementation
considerations, security actions, quality assurance, and documenting
post conditions are also discussed.
I didn’t get much from the two morning talks given by two of the
sponsors, although the discussion on
fuzzing from Codenomicon
was new to at least one person I spoke to, and I did like Mikko
Varpiola’s observation that the barrier to entry for cybercrime is
generally quite low.
Tina Meier, of the Megan Meier
Foundation, spoke over lunch
about cyberbullying and related issues – as you may recall, Tina’s
daughter Megan committed
suicide after a
cyberbullying incident involving a fake identity created with the help
of an adult neighbor. It’s a sad story, one that found me reflecting on
how the easy anonymity, deception, and social distance created by the
internet can increase both the likelihood and impact of bullying
behavior. How do we teach people how information works? That “on the
Internet, nobody knows you’re a
dog,”
and that once posted or emailed, information can never really be
recalled or removed, and can easily be made public?
The day was rounded out by a good panel on how to turn research into
innovation, with thoughts on establishing MN as a center for cyber
security, much as it is for the medical device industry. The final talk
by Patrick Reidy, the current CISO of the FBI was the highlight of the
day for me. Patrick made some excellent points about APT – that it’s an
intelligence effort that should be addressed with counterintelligence,
covered insider threat (creative ways of spotting malicious insiders),
and focused on people more so than the technology, actually using the
phrase “positive social engineering!” In one example, by asking users to
confirm that a risky action was appropriate (surfing to a file sharing
website, like Google Docs), the FBI reduced policy violations by 97% in
three months.
Day 2 kicked off with a presentation on the Multi-State MS-ISAC,
followed by an excellent prezo given by Nick Selby, a police officer and
member of the 451 Group, on what cyber intelligence is, and how & why
you would want to build a cyber intelligence function. As Nick says,
“intelligence is not sexy,” and is more about knowing what information
to throw away than what information to collect. The talk included other
quotable moments, such as “Policy is set by throwing knives in the
dark,” referring to BYOD/mobile. I would recommend you check out his
site, Police-Led Intelligence.
Over lunch a panel discussed the National Strategy for Trusted
Identities in Cyberspace (NSTIC),
followed by a CISO panel on information sharing. The CISO panel was most
interesting to me when I asked about sharing “security failures” –
there was none, really. For me, this goes to the heart of the
incident-sharing problem: incidents are not failures: they’re cases
where the bad guys won a battle but not the war. Certainly companies’
negligence can contribute to incidents, but apart from that, it’s not
really their fault they got hacked. As an industry we need to do a
better job of not blaming the victim and accepting that incidents WILL
happen, and that our job is to manage the impact to an acceptable level.
Finally, at the end of the panel discussion and also mentioned by the
final speaker, Mark Weatherford, was the need to develop more cyber
security professionals- cyber security unemployment is either zero or
negative right now, depending on how you look at it, and the consensus
was that we need to reach all the way down to the high school level with
our recruitment efforts.
All in all, it was a good two days, and I’ll likely attend next year.
I’m not sure I’d recommend it for out-of-state folks, but if you live in
the region, it’s a worthwhile conference.