Musings from the MN Cyber Security Summit

I didn’t get much from the two morning talks given by two of the sponsors, although the discussion on fuzzing from Codenomicon was new to at least one person I spoke to, and I did like Mikko Varpiola’s observation that the barrier to entry for cybercrime is generally quite low.

Tina Meier, of the Megan Meier Foundation, spoke over lunch about cyberbullying and related issues – as you may recall, Tina’s daughter Megan committed suicide after a cyberbullying incident involving a fake identity created with the help of an adult neighbor. It’s a sad story, one that found me reflecting on how the easy anonymity, deception, and social distance created by the internet can increase both the likelihood and impact of bullying behavior. How do we teach people how information works? That “on the Internet, nobody knows you’re a dog,” and that once posted or emailed, information can never really be recalled or removed, and can easily be made public?

The day was rounded out by a good panel on how to turn research into innovation, with thoughts on establishing MN as a center for cyber security, much as it is for the medical device industry. The final talk by Patrick Reidy, the current CISO of the FBI was the highlight of the day for me. Patrick made some excellent points about APT – that it’s an intelligence effort that should be addressed with counterintelligence, covered insider threat (creative ways of spotting malicious insiders), and focused on people more so than the technology, actually using the phrase “positive social engineering!” In one example, by asking users to confirm that a risky action was appropriate (surfing to a file sharing website, like Google Docs), the FBI reduced policy violations by 97% in three months.

Day 2 kicked off with a presentation on the Multi-State MS-ISAC, followed by an excellent prezo given by Nick Selby, a police officer and member of the 451 Group, on what cyber intelligence is, and how & why you would want to build a cyber intelligence function. As Nick says, “intelligence is not sexy,” and is more about knowing what information to throw away than what information to collect. The talk included other quotable moments, such as “Policy is set by throwing knives in the dark,” referring to BYOD/mobile. I would recommend you check out his site, Police-Led Intelligence.

Over lunch a panel discussed the National Strategy for Trusted Identities in Cyberspace (NSTIC), followed by a CISO panel on information sharing. The CISO panel was most interesting to me when I asked about sharing “security failures” – there was none, really. For me, this goes to the heart of the incident-sharing problem: incidents are not failures: they’re cases where the bad guys won a battle but not the war. Certainly companies’ negligence can contribute to incidents, but apart from that, it’s not really their fault they got hacked. As an industry we need to do a better job of not blaming the victim and accepting that incidents WILL happen, and that our job is to manage the impact to an acceptable level.

Finally, at the end of the panel discussion and also mentioned by the final speaker, Mark Weatherford, was the need to develop more cyber security professionals- cyber security unemployment is either zero or negative right now, depending on how you look at it, and the consensus was that we need to reach all the way down to the high school level with our recruitment efforts.

All in all, it was a good two days, and I’ll likely attend next year. I’m not sure I’d recommend it for out-of-state folks, but if you live in the region, it’s a worthwhile conference.

not included in the original post: link to the Cyber Security Summit

ISC2 Security Congress Talk and SIRACon

Today I spoke at the (ISC)2 Security Congress in Philadelphia, which is co-located with the ASIS International Conference. I talked about Behavioral Threat Modeling, which is my proposal for a better way of identifying security design flaws. I enjoyed the talk, and got several good questions at the end.

Although video of the talk is only available to conference participants, I’ve posted a copy of my slides below. For those who would like a copy of the Excel template I used for the Threat Profiles, I’m working on posting a copy here as well, but until then, please contact me and I’ll be happy to email you a copy.

Defending Against Attacks by Modeling Threat Behaviors

Sample Threat Profiles Excel template

If you happen to live in the Minneapolis / St Paul area, I’ll be giving the talk again at the local OWASP MSP chapter a week from today, on September 17. (It’s the same talk, we just had a problem getting the title right) The OWASP MSP group is fun, and I’m hoping I’ll get some hecklers.

Finally, here is a link to videos of all of the talks at SIRACon, including the talk I gave on Information Safety.

Update: I’ve posted both the slides, and the sample threat profiles, links above.

Thoughts on Information Safety

Lately, I’ve been thinking about the concept of Information Safety, and how it differs from Information Security. When I talk to people about the idea, especially non-security people, they typically find “safety” more appealing than “security,” but for the concept to pay off, it has to be more than just a re-branding of existing security concepts.

For me, the concept of information safety is an answer to Donn Parker’s challenge to information risk management in 2006. In his article for the ISSA Journal, “Making the Case for Replacing Risk-Based Security,” Donn observes that there are two types of problems information security: ongoing attacks that are virtual certainties, like viruses, and rare, unpredictable incidents. I agree with his observations, but disagree (somewhat) with his conclusion to use a due diligence approach – do what we have always done. For me, information safety is the approach for ongoing & certain attacks, and protection is the approach for the rare & unpredictable.

I recently came across an article published by the American Institute of Architects (by way of Wikipedia) that includes elegant definitions for both security and safety, which highlight the problems within the information security profession that demonstrate the need for a safety practice:

Safety involves whatever contributes to maintaining the “steady state” of a social and physical structure or place in terms of whatever it is intended to do. Safety connotes stability over time, continuity of function and reliability of structure.

Security is the process or means of delaying, preventing and otherwise protecting against external or internal dangers, loss, criminals, and other individuals or actions that threaten to weaken, hinder or destroy an organization’s “steady state,” and otherwise deprive it of its intended purpose for being.

For me, the notion of “steady state” is key to safety. Our current focus on security (what I call “protection”) leads us to focus on protecting against threats, while establishing and maintaining a steady state is undervalued and even neglected. We have information security organizations, but where are our information safety teams?