Crazy incentives and how they drive security into no man's land
0 gefällt mir
Aufrufe
Check these out next
Crazy incentives and how they drive security into no man's land
0 gefällt mir
Aufrufe
Everybody, Blueteam and Redteam players alike, are driven by incentives. Good incentives persuade us to do the right thing and patch our servers. Bad incentives make us eat unhealthy food and follow stupid security practices. There is a huge resource problem in the IT industry and especially in the security industry. So you would expect people to pay attention to the existing incentives and th incentives they create with their documentation, their awareness trainings, their security reports, etc. But reality paints a different picture: Bad incentives all around! We see insane security practices eating valuable time and online trainings annoying users, slowly teaching them to become a brainless zombie whenever they hear the keyword "security". But it's even worse. I've come across incentives that lure companies into creating bad products and I've seen companies create products that incentivize their customers to waste their time and money. Sometimes the mechanisms are too strong to fight. But sometimes it takes people like you and me to say NO and stand up for real security! Follow me on a journey and security will never look the same to you again!
Recomendados
Crazy incentives and how they drive security into no man's land
- Crazy incentives and how they drive security into no man's land Christian Folini Keynote 2023
- Streaming in China Source: @RealSexyCyborg (Naomi Wu) Streaming in China
- Hello Insomni’Hack! I am Christian Folini Find me at @ChrFolini / @folini@infosec.exchange Swiss Security Engineer OWASP CRS Co-Lead Wearer of Many Helmets
- “ In general, incentives are anything that persuade a person to alter their behaviour. (Wikipedia)
- “ In general, incentives are anything that persuade a person to alter their behaviour. ... Higher incentives amount to greater levels of effort and therefore, higher levels of performance.
- Elon scrambling for money
- “
- Nessus Reports
- More Nessus Madness
- Inflated Numbers
- Even Bigger Numbers Source: https://techjury.net/
- The Infamous Norse Dashboard A Kibana Example
- Typical ModSecurity Dashboard Element
- Survivorship Bias Source: Wikipedia: Survivorship Bias
- Bug Bounty Hunters Source: https://pexels.com
- Bug Bounty Hunters Penetration Testers
- Large Baskets with Many, Many Eggs
- Crisis Communication
- Ransomware Source: Wikipedia: AIDS DOS Trojan 1989
- Ransomware and Cyber Insurance
- Commercial WAF Detection Rates Source: https://fraktal.fi (Tuomo Makkonnen, 2020)
- Unce upon a time, there was a boy ...
- The boy was a shepherd
- His little herd also included a ram
- He took them through a forest
- In the forest, there was a wolf
- The boy screamed and called the hunters
- The hunters came and wanted to kill the wolf
- But as it turned out, it was all a false positive!
- The alternative: a false negative!
- The alternative: a false negative!
- The alternative: a false negative!
- Commercial WAF Detection Rates Source: https://fraktal.fi (Tuomo Makkonnen, 2020)
- Summary Let’s wrap this up!
- Level 1 An overly relaxed attitude, ignorance, negligence and carelessness lead to bad incentives for users. Tricking them into weak decisions undermining security. Two Levels of Bad Incentives Level 2 Deliberately following or setting crazy incentives for immediate gain; consciously prioritizing financial benefit over security of users and their data.
- It’s your job to raise the alarm when incentives and security don’t align!
- Contact christian.folini@netnea.com @ChrFolini @folini@infosec.exchange