SlideShare ist ein Scribd-Unternehmen logo

Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017

A
adamdeja

As the air gap between our daily lives and the Internet continues to shrink the security of our personal data and devices grows in importance. We are facing the daily threat of putting 2000s era computers bolted to toasters online while expecting them to defend against 2017 capable attackers. This talk will explore the continuing trend of IoT, discuss how we’ve been here before, and layout strategies for keeping pace with attackers in the future. This talk will focus on enumerating this risk, discuss the challenges involved, and explore solutions. First, we will examine this history of how we got here, and what it means to say “security is a snapshot in time.” We then introduce the idea of shared ken – the range of one’s knowledge or sight – and how it impacts security. Third, we discuss the influence of data as code, the meta game, and secrecy as a way of mastering impact and ken. This talk will allow attendees to walk away with A holistic view of the history of computer security and how it impacts them today The importance of extending the range of collective vision to reduce blind spots Practical advice for BSiders to grow their mindset and improve their impact Adam is a founding partner and Chief Executive Officer at Deja vu Security. He is dedicated to the leadership and relentless innovation in Deja’s products and services. Previously he has lead teams conducting application and hardware penetration tests for the Fortune 500 technology firms. Adam is a contributing author to multiple security books, benchmarks, tools, and DARPA research projects. Adam holds a degree in Computer Science and a Masters from Carnegie Mellon University in Information Networking.

Technologie
1 von 67
Downloaden Sie, um offline zu lesen
SECURITY IS A SNAPSHOT IN TIME - SO HOW DO WE KEEP UP? Adam Cecchetti Deja vu Security
Hello!  Adam Cecchetti  Deja vu Security : Founder, CEO  Peach Tech : Co-Founder, Chairman  CMU : M.S. Information Networking
Deja vu Security  Seattle based operating since 2010  100s of App and Hardware assessments  Web, IoT, Cryptocurrency, Infrastructure, etc  Training of developers, engineers, and teams to better understand modern threats.
TIME IS UNDEFEATED
Time Erodes All Things
A Sense of Deja vu
Deja vu. Deja vu. Deja vu. Deja vu. Networks Applications Web Cloud Internet of Things (IoT) “The tubes are on fire!” “The desktop is on fire!” “The world is on fire!” “The sky is on fire!” “Your pants are on fire!”
The Problem is Big  The first step to recovery is the hardest.  Awareness is good, but it doesn’t cure cancer.  Security issues must be found they can’t be created.  Inherited, passed down the software genepool.  Plentiful, defense helps but we kick over more rocks.  Random, the future is asymmetrically secured.  Polymorphic, the tools we use to build systems are security issues.  We are going to have to start thinking differently.
Not That Differently
Tick, Tock.  Data movement is a cadence to how we’ve built things.  Echoes, the ghosts of usage models past.  We leave data and code everywhere users go.  User data replicates every decade or so. t Centralized Distributed 70’s 90’s 2010 2030 80’s 00’s 2020 Mainframe Web/Email Cloud Internet of Me PC Social Networks IoT
Security is a Snapshot in Time  Security is a snapshot in time.  Tomorrow is a new day full of drama on Twitter!  Today is a great day to deprecate a system.  Move user data to a safer and better place.  Hackers are unstoppable in 1995.  The closer the temporal snapshot to 1995 the better for hackers.  The person building the system decides the snapshot that is taken.  Protocols from 1995  Libraries from 2006  Binaries from 2014  A Linux build from 2016
199X  No memory defense (NX, ASLR, StackCookies,etc)  No patching system or focus on security patches  Little to no security awareness  Default passwords, services, attack surface  Closer the clock is to 1995 the stronger the hackers
You Wouldn’t March This Army Today
You Wouldn’t March This Army in 2117
Snapshot 1: 2002 vs 2017 Hackers
Snapshot 2 : 1995 vs 2017 Hackers
Computers are Awesome!  They don’t LET you do anything.  They DO anything!  And only things you tell them  CPU: AMMA that’s about Machine code to Microcode  Good luck with the rest! That’s not what I do!  General computation is good however it means:  No reliability, no availability, no security.  This includes anything we build.  Complexity leads to side effects and exploitation is programing with side effects.
Memory Leak in /dev/litterbox?!
We Are at an Odd Juncture  Mobile is eating all markets just like the PC did.  User habits are changing, again.  Web ate the rest of the world.  User data flows in new directions  And lingers in the eddies.  And for those of us left that still care about general computation we have to run unknown kernel and firmware exploits to program our phones.
Jail Broken
“Stop Putting Things on the Internet”  You might as well tell water to stop being wet.  It is free to put another computer on the Internet  Putting a Pentium Pro in anything is free  In 4 years putting an iPhone 1 in everything is free. Why?  Inverse of Moore’s law
Moore’s Law # Transistors 2x18M 0 1E+09 2E+09 3E+09 4E+09 5E+09 6E+09 7E+09 8E+09 1971 1972 1974 1976 1979 1982 1985 1989 1991 1995 1997 1999 2000 2000 2004 2004 2005 2006 2008 2010 2014 2016 Transistors vs Year
Inverse of Moore’s Law Every 18 months the cost of a transistor halves.
Free Pentium Pro for Every Dishwasher $0.00 $200.00 $400.00 $600.00 $800.00 $1,000.00 $1,200.00 1995 1997 1998 2000 2001 2003 2004 2006 2007 2009 2010 2012 2013 2015 2016 2018 2019 2021 2022 Inverse of Moore's Law Putting a $1000 Pentium from 1995 in a dishwasher is free, today and every day in the future.
Everything is an iPhone in the near future. $0 $100 $200 $300 $400 $500 $600 2007 2009 2010 2012 2013 2015 2016 2018 2019 2021 2022 iPhone Adding a 1st Gen iPhone worth of transistors to everything: $4 in 2018, free in 2022 Phrased another way adding Wifi, GSM, Bluetooth, GPU, CPU, storage, & sound to everything is free in 2022.
The Internet Finally Showed Up!  The amount of air gap between our lives and the Internet is shrinking daily.  Soon it will be gone. Good Riddance! Plug me in!  Unless you have decided to live in a cave.  And in another tick tock there’s still a chance it will have IP enabled bat guano.  Technology is awesome!  In 5 years my self driving car will live stream.  Localized live traffic video broadcasting and viewing is going to be a thing.  There are going to be people sitting in traffic watching other people sit in traffic around the world.
Live From the I5 Parking Lot…
Be Still My Beating Heart  The Internet of Me is coming soon  I can’t wait until my heart has an IP address  And firmware updates  And an app store to monetize!  Cardio Trainer+ 4.0  Now with Twitter Integration!  Cardio Trainer+ 4.0.1  Pushed a patch as some users were excessively twitching while Tweeting.  Move fast and break things is not what I want for IP addressable organs.
Everybody Bugs  Bugs happen.  They happen to the best.  They happen to the worst.  Imperfection is the proof of life and existence.  Mistakes are proof you actually did something.  Keep building a better future one mistake at a time
How to Lose Normal People
Start with Details  “The buffer can overflow causing a corruption of the pointer which in turn is referenced by the vtable to cause code to jump to a known location as a result of ASLR being not compiled into a supporting DLL”  “The password is P@ssw0rd!”  “User A can access the details of User B”
CVE-2017 – Critical Bass Overflow
How to Get Things Flowing
Helping People Understand w/Impact  The user’s bank account can be drained.  One person cares.  The company can no longer perform transactions.  The entire company cares.  The car performs a J-turn at 60 mph during rush hour  1 news cycle.  The planes crashes  2 news cycles, 4 if they can’t find the plane.  The pacemaker stops and kills the user.  2 Federal Agencies + n pacemaker users care.  The power plant explodes.  People care until the lights come back on.
In an Age of Infinite Scroll
“Hacked a what? Oh, right.”
Ken  Ken /ken/ noun  “one's range of knowledge or sight”  “know”  How far you see.  How wide or narrow are you focused.  How much you understand.  How far someone else can see, focus, and understand.
Ken
Ken : My Ken
Ken : Your Ken
Ken : Our Ken
Ken  Their Ken: I need to move 14,000 planes a day with 300 people in them each or the global economy stops.  My Ken: Planes can move in ways you don’t intend if you connect them to the Internet, might even crash.  Their Ken: Customers don’t like to crash.  My Ken: Less planes move if they crash.  Our Ken: Lets make new planes that are easier to move and safer.
Ken  Accepting WE > I  Knowing the range of my knowledge and vision enables me to spend our time better.  Knowing how to better understand the range of another’s vision helps us get to shared impact faster.  Then we can start sharing details.
Testing for Echo
Test for Echo  You have lost if:  All you are hearing is your own words come back.  Things you already know.  Shared exchange of ken is shared extension.  In turn it is shared vulnerability.  Sustained echo is at best rapid construction of a chamber.  On a more than decade time scale it is slow death.
Details: Our Three Wins  Firewalls  Encryption  Two Factor Authentication
Impact: Three Extensions of Ken  Firewalls  I don’t want to run Ethernet cable in my house.  Wifi + Firewall = Win!  Encryption  I can’t make it to the bank or store today.  I need to work from home.  Commerce from home + encrypted tunnel = Win!  Two Factor Authentication  I don’t want to re-grind my character.  World of Warcraft = Win!
Ken: When Have We Won?  We’ve won the same way everyone else has.  When we’ve made someone’s life better they adopted a technology.  It happened to be more secure because we spent years working on the details.  If we want to get pedantic we used Trojan horses to backdoor security into people’s lives.  Applying security to a shift in user behavior.  This is better!  We defined that part of being better was more secure!
Ken: The users  Want to do the thing and will always want to do the thing.  Help the user keep doing the thing they want to do.
So how do we keep up?  Details  Impact  Ken
Details: Get to Work
Bug: #1 Data as Code  What do Cross Site Scripting, SQL Injection, and Buffer Overflows all have in common?  They are all data being interpreted as code.  Any place that user or machine controlled data is being used, interpreted, parsed; a security issue awaits.  This is big enough to master that you can spend multiple lifetimes right here.  We’ve actually started to make steps towards fixing this problem in some places.
Bug: #2 Gamers are Going to Game  Logical Issues require someone to game the system  Must try and understand all the unexpected behavior of the logic of the system.  Few good ways of automated testing here  The Meta Game  Attackers will continue to go for the weakest link  Hint: It’s in 1995  Unless the time vs. reward scenario is high  or the motivation vs. reward scenario is super high
Bug: #3 The Secret Isn’t Secret  Password1!  Upper Lower, Numeric, Special!  Secure by most IT and Web policy!  “ Or ‘1’=‘1’; --  Upper, Lower, Numeric, Special!  No key words!  16 characters!  Secure!  If not bad word jumbles then bits generated by a machine given back to a machine!
Bug:#4 The thing is in the wrong place  What is this?  Wait, why why is this here?  This shouldn’t be here!  OMG WHY IS THIS HERE  System, person, information in the wrong place.  Sensitive data management  Asset management  Physical Pen Tests  Etc
To Master Impact  See the system as a graph of lists sorted by time.  Know what matters in the system.  Use the details to break the system.  When the system will not break change the game.
Impact: Master The Graph
Impact: Master The Graph  Seeing the system as a graph allows direct access to what is most impactful for the system.
Impact: Master the Clock
To Master Ken  Know yourself and share ideas and creations.  Ask to know and understand others.  Use impacts to connect yourself to others faster.  Seek the patterns that allow you to extend your vision and knowledge.  Use details to demonstrate impacts  Never start with details
To Master Ken  In cooperation:  Use your ken to help others see what they cannot.  Ask to be shown what you cannot see.  In conflict:  Find the blind spots.  Where someone is blind they cannot defend.
Mastering Ken
Ken: Test for Echo  Step out of the echo chamber from time to time.  Find people who have problems in different industries you’ll never have.  Listen to them.  See how much you can share, but more importantly see what comes back when you do.
So How To Keep Up?  Understand what Snapshot you need to take (Ken) and how often you need to take it. (Impact) Then start to secure it by building tomorrow (Details).  Let the past go when you can.  Pull out the oldest versions when you can  Build a better tomorrow and ask people to help you convince others to adopt it.  Ask yourself do you want to keep clawing away from 1995 or start building a better 2020?
Takeaways  Security is a snapshot in time  That snapshot is part ken, impact, and details.  Building a better tomorrow can build a more secure tomorrow.  Building a better tomorrow requires more than details and impact.  It requires understanding of your own ken to start.  I hope this talk has extended yours.
Thank You @adamcecc

Empfohlen

Hushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoHushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoDeja vu Security
 
Episode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSEpisode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSContrast Security
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Aaron Rinehart
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 Aaron Rinehart
 
Networks for An Infinite Service Future
Networks for An Infinite Service FutureNetworks for An Infinite Service Future
Networks for An Infinite Service FutureUniversity of Hertfordshire
 

Empfohlen

Hushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoHushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoDeja vu Security
 
Episode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSEpisode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSContrast Security
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Aaron Rinehart
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 Aaron Rinehart
 
Networks for An Infinite Service Future
Networks for An Infinite Service FutureNetworks for An Infinite Service Future
Networks for An Infinite Service FutureUniversity of Hertfordshire
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️Ori Pekelman
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Hackfest Communication
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix ThingsDan Kaminsky
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 SecurityJP Bourget
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
Security
SecuritySecurity
SecurityBob Cherry
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Vlad Styran
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysOri Pekelman
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
 
Safecrossroads ep01
Safecrossroads ep01Safecrossroads ep01
Safecrossroads ep01simpletonsafe
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
Pc magazine may 2016
Pc magazine may 2016Pc magazine may 2016
Pc magazine may 2016Safrudin S
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped futureMichael Renner
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Weitere ähnliche Inhalte

Ähnlich wie Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️Ori Pekelman
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix ThingsDan Kaminsky
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 SecurityJP Bourget
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Vlad Styran
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysOri Pekelman
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
Pc magazine may 2016
Pc magazine may 2016Pc magazine may 2016
Pc magazine may 2016Safrudin S
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped futureMichael Renner
 

Ähnlich wie Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017 (20)

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 Security
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Security
SecuritySecurity
Security
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
 
Safecrossroads ep01
Safecrossroads ep01Safecrossroads ep01
Safecrossroads ep01
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Pc magazine may 2016
Pc magazine may 2016Pc magazine may 2016
Pc magazine may 2016
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped future
 

Kürzlich hochgeladen

How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Kürzlich hochgeladen (20)

How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017

  • 1. SECURITY IS A SNAPSHOT IN TIME - SO HOW DO WE KEEP UP? Adam Cecchetti Deja vu Security
  • 2. Hello!  Adam Cecchetti  Deja vu Security : Founder, CEO  Peach Tech : Co-Founder, Chairman  CMU : M.S. Information Networking
  • 3. Deja vu Security  Seattle based operating since 2010  100s of App and Hardware assessments  Web, IoT, Cryptocurrency, Infrastructure, etc  Training of developers, engineers, and teams to better understand modern threats.
  • 6. A Sense of Deja vu
  • 7. Deja vu. Deja vu. Deja vu. Deja vu. Networks Applications Web Cloud Internet of Things (IoT) “The tubes are on fire!” “The desktop is on fire!” “The world is on fire!” “The sky is on fire!” “Your pants are on fire!”
  • 8. The Problem is Big  The first step to recovery is the hardest.  Awareness is good, but it doesn’t cure cancer.  Security issues must be found they can’t be created.  Inherited, passed down the software genepool.  Plentiful, defense helps but we kick over more rocks.  Random, the future is asymmetrically secured.  Polymorphic, the tools we use to build systems are security issues.  We are going to have to start thinking differently.
  • 10. Tick, Tock.  Data movement is a cadence to how we’ve built things.  Echoes, the ghosts of usage models past.  We leave data and code everywhere users go.  User data replicates every decade or so. t Centralized Distributed 70’s 90’s 2010 2030 80’s 00’s 2020 Mainframe Web/Email Cloud Internet of Me PC Social Networks IoT
  • 11. Security is a Snapshot in Time  Security is a snapshot in time.  Tomorrow is a new day full of drama on Twitter!  Today is a great day to deprecate a system.  Move user data to a safer and better place.  Hackers are unstoppable in 1995.  The closer the temporal snapshot to 1995 the better for hackers.  The person building the system decides the snapshot that is taken.  Protocols from 1995  Libraries from 2006  Binaries from 2014  A Linux build from 2016
  • 12. 199X  No memory defense (NX, ASLR, StackCookies,etc)  No patching system or focus on security patches  Little to no security awareness  Default passwords, services, attack surface  Closer the clock is to 1995 the stronger the hackers
  • 13. You Wouldn’t March This Army Today
  • 14. You Wouldn’t March This Army in 2117
  • 15. Snapshot 1: 2002 vs 2017 Hackers
  • 16. Snapshot 2 : 1995 vs 2017 Hackers
  • 17. Computers are Awesome!  They don’t LET you do anything.  They DO anything!  And only things you tell them  CPU: AMMA that’s about Machine code to Microcode  Good luck with the rest! That’s not what I do!  General computation is good however it means:  No reliability, no availability, no security.  This includes anything we build.  Complexity leads to side effects and exploitation is programing with side effects.
  • 18. Memory Leak in /dev/litterbox?!
  • 19. We Are at an Odd Juncture  Mobile is eating all markets just like the PC did.  User habits are changing, again.  Web ate the rest of the world.  User data flows in new directions  And lingers in the eddies.  And for those of us left that still care about general computation we have to run unknown kernel and firmware exploits to program our phones.
  • 21. “Stop Putting Things on the Internet”  You might as well tell water to stop being wet.  It is free to put another computer on the Internet  Putting a Pentium Pro in anything is free  In 4 years putting an iPhone 1 in everything is free. Why?  Inverse of Moore’s law
  • 22. Moore’s Law # Transistors 2x18M 0 1E+09 2E+09 3E+09 4E+09 5E+09 6E+09 7E+09 8E+09 1971 1972 1974 1976 1979 1982 1985 1989 1991 1995 1997 1999 2000 2000 2004 2004 2005 2006 2008 2010 2014 2016 Transistors vs Year
  • 23. Inverse of Moore’s Law Every 18 months the cost of a transistor halves.
  • 24. Free Pentium Pro for Every Dishwasher $0.00 $200.00 $400.00 $600.00 $800.00 $1,000.00 $1,200.00 1995 1997 1998 2000 2001 2003 2004 2006 2007 2009 2010 2012 2013 2015 2016 2018 2019 2021 2022 Inverse of Moore's Law Putting a $1000 Pentium from 1995 in a dishwasher is free, today and every day in the future.
  • 25. Everything is an iPhone in the near future. $0 $100 $200 $300 $400 $500 $600 2007 2009 2010 2012 2013 2015 2016 2018 2019 2021 2022 iPhone Adding a 1st Gen iPhone worth of transistors to everything: $4 in 2018, free in 2022 Phrased another way adding Wifi, GSM, Bluetooth, GPU, CPU, storage, & sound to everything is free in 2022.
  • 26. The Internet Finally Showed Up!  The amount of air gap between our lives and the Internet is shrinking daily.  Soon it will be gone. Good Riddance! Plug me in!  Unless you have decided to live in a cave.  And in another tick tock there’s still a chance it will have IP enabled bat guano.  Technology is awesome!  In 5 years my self driving car will live stream.  Localized live traffic video broadcasting and viewing is going to be a thing.  There are going to be people sitting in traffic watching other people sit in traffic around the world.
  • 27. Live From the I5 Parking Lot…
  • 28. Be Still My Beating Heart  The Internet of Me is coming soon  I can’t wait until my heart has an IP address  And firmware updates  And an app store to monetize!  Cardio Trainer+ 4.0  Now with Twitter Integration!  Cardio Trainer+ 4.0.1  Pushed a patch as some users were excessively twitching while Tweeting.  Move fast and break things is not what I want for IP addressable organs.
  • 29. Everybody Bugs  Bugs happen.  They happen to the best.  They happen to the worst.  Imperfection is the proof of life and existence.  Mistakes are proof you actually did something.  Keep building a better future one mistake at a time
  • 30. How to Lose Normal People
  • 31. Start with Details  “The buffer can overflow causing a corruption of the pointer which in turn is referenced by the vtable to cause code to jump to a known location as a result of ASLR being not compiled into a supporting DLL”  “The password is P@ssw0rd!”  “User A can access the details of User B”
  • 32. CVE-2017 – Critical Bass Overflow
  • 33. How to Get Things Flowing
  • 34. Helping People Understand w/Impact  The user’s bank account can be drained.  One person cares.  The company can no longer perform transactions.  The entire company cares.  The car performs a J-turn at 60 mph during rush hour  1 news cycle.  The planes crashes  2 news cycles, 4 if they can’t find the plane.  The pacemaker stops and kills the user.  2 Federal Agencies + n pacemaker users care.  The power plant explodes.  People care until the lights come back on.
  • 35. In an Age of Infinite Scroll
  • 36. “Hacked a what? Oh, right.”
  • 37. Ken  Ken /ken/ noun  “one's range of knowledge or sight”  “know”  How far you see.  How wide or narrow are you focused.  How much you understand.  How far someone else can see, focus, and understand.
  • 38. Ken
  • 39. Ken : My Ken
  • 40. Ken : Your Ken
  • 41. Ken : Our Ken
  • 42. Ken  Their Ken: I need to move 14,000 planes a day with 300 people in them each or the global economy stops.  My Ken: Planes can move in ways you don’t intend if you connect them to the Internet, might even crash.  Their Ken: Customers don’t like to crash.  My Ken: Less planes move if they crash.  Our Ken: Lets make new planes that are easier to move and safer.
  • 43.
  • 44. Ken  Accepting WE > I  Knowing the range of my knowledge and vision enables me to spend our time better.  Knowing how to better understand the range of another’s vision helps us get to shared impact faster.  Then we can start sharing details.
  • 46. Test for Echo  You have lost if:  All you are hearing is your own words come back.  Things you already know.  Shared exchange of ken is shared extension.  In turn it is shared vulnerability.  Sustained echo is at best rapid construction of a chamber.  On a more than decade time scale it is slow death.
  • 47. Details: Our Three Wins  Firewalls  Encryption  Two Factor Authentication
  • 48. Impact: Three Extensions of Ken  Firewalls  I don’t want to run Ethernet cable in my house.  Wifi + Firewall = Win!  Encryption  I can’t make it to the bank or store today.  I need to work from home.  Commerce from home + encrypted tunnel = Win!  Two Factor Authentication  I don’t want to re-grind my character.  World of Warcraft = Win!
  • 49. Ken: When Have We Won?  We’ve won the same way everyone else has.  When we’ve made someone’s life better they adopted a technology.  It happened to be more secure because we spent years working on the details.  If we want to get pedantic we used Trojan horses to backdoor security into people’s lives.  Applying security to a shift in user behavior.  This is better!  We defined that part of being better was more secure!
  • 50. Ken: The users  Want to do the thing and will always want to do the thing.  Help the user keep doing the thing they want to do.
  • 51. So how do we keep up?  Details  Impact  Ken
  • 53. Bug: #1 Data as Code  What do Cross Site Scripting, SQL Injection, and Buffer Overflows all have in common?  They are all data being interpreted as code.  Any place that user or machine controlled data is being used, interpreted, parsed; a security issue awaits.  This is big enough to master that you can spend multiple lifetimes right here.  We’ve actually started to make steps towards fixing this problem in some places.
  • 54. Bug: #2 Gamers are Going to Game  Logical Issues require someone to game the system  Must try and understand all the unexpected behavior of the logic of the system.  Few good ways of automated testing here  The Meta Game  Attackers will continue to go for the weakest link  Hint: It’s in 1995  Unless the time vs. reward scenario is high  or the motivation vs. reward scenario is super high
  • 55. Bug: #3 The Secret Isn’t Secret  Password1!  Upper Lower, Numeric, Special!  Secure by most IT and Web policy!  “ Or ‘1’=‘1’; --  Upper, Lower, Numeric, Special!  No key words!  16 characters!  Secure!  If not bad word jumbles then bits generated by a machine given back to a machine!
  • 56. Bug:#4 The thing is in the wrong place  What is this?  Wait, why why is this here?  This shouldn’t be here!  OMG WHY IS THIS HERE  System, person, information in the wrong place.  Sensitive data management  Asset management  Physical Pen Tests  Etc
  • 57. To Master Impact  See the system as a graph of lists sorted by time.  Know what matters in the system.  Use the details to break the system.  When the system will not break change the game.
  • 59. Impact: Master The Graph  Seeing the system as a graph allows direct access to what is most impactful for the system.
  • 61. To Master Ken  Know yourself and share ideas and creations.  Ask to know and understand others.  Use impacts to connect yourself to others faster.  Seek the patterns that allow you to extend your vision and knowledge.  Use details to demonstrate impacts  Never start with details
  • 62. To Master Ken  In cooperation:  Use your ken to help others see what they cannot.  Ask to be shown what you cannot see.  In conflict:  Find the blind spots.  Where someone is blind they cannot defend.
  • 64. Ken: Test for Echo  Step out of the echo chamber from time to time.  Find people who have problems in different industries you’ll never have.  Listen to them.  See how much you can share, but more importantly see what comes back when you do.
  • 65. So How To Keep Up?  Understand what Snapshot you need to take (Ken) and how often you need to take it. (Impact) Then start to secure it by building tomorrow (Details).  Let the past go when you can.  Pull out the oldest versions when you can  Build a better tomorrow and ask people to help you convince others to adopt it.  Ask yourself do you want to keep clawing away from 1995 or start building a better 2020?
  • 66. Takeaways  Security is a snapshot in time  That snapshot is part ken, impact, and details.  Building a better tomorrow can build a more secure tomorrow.  Building a better tomorrow requires more than details and impact.  It requires understanding of your own ken to start.  I hope this talk has extended yours.