SlideShare une entreprise Scribd logo

Marcus Ranum on Bad Idea Zombies

David Strom
David Strom

Security disasters can emanate from many places but often the main contributor is the disconnect that exists between CIO’s (and executives in general) and the technical staff. This disconnect can give life to the scariest undead creature in the business world: <b>the bad idea zombie.

TechnologieBusiness
1  sur  25
Télécharger pour lire hors ligne
Anatomy of The Security Disaster Marcus J. Ranum (mjr@tenablesecurity.com) Tenable Network Security, Inc.
The Security Disaster • What is the problem? – Dangerous stuff is being done by people who think it is being done safely – Their incomprehension of the danger encourages increased exposure (the “it hasn’t happened yet” effect) • We are at the point where cyberterror starts to become a legitimate fear
The Future • “It's a problem for security people because their career depends on their ability to enable the business securely. We have had six years of "regulation-based job security" for the whiners. That era is coming to an end.” Alan Paller, SANS
The Security Disaster • In other words, the problem is going to get worse • What is scary is the existing scope of the problem is already very broad; the current state of affairs has been gestating for 10+ years
What Will We Do? (that will not work) • Spend our way out of the hole – Cost of doing it right exceeds cost of re- doing it – Currently an installed base of doing it wrong – Inertia (financial and technological) ...in other words: we’re already so deep into this that physics has taken over
Do We Learn? • Do pro-active measures actually carry weight? • Disaster-and-patch is the current strategy
Time Line of a Typical Disaster 1) Inception of bad idea 2) Identification as bad idea 3) Negotiation 4) Search for Plan B 5) Failure to re-adjust expectations 6) Initial failure conditions are noticed 7) Denial or kludging 8) Failure 2.2) Memos generated! 6.2) Memos generated! Opportunity for cover-up or conspiracy
Time Line of a Typical Disaster (cont) 9) Hunt for the guilty 10) Finger Pointing 11) Memo Archaeology 12) Slaughter of the Innocents 13) Failure to learn REPEAT Memos from 2.2 and 6.2 resurface!
Failure of Risk Management • The premise of the “risk management” approach to security is that good thinking happens at stage #3 – In fact, what happens is that the good thinking is largely undone by the time you get to stage #7 • Every organization that is performing “risk management” is currently in denial
Failure of Communication • The premise of the “improved communication” approach to security is that good thinking happens at stage #2, #4, #6, and #7 – That’s simply expecting too much good thinking to happen
Failure of Education • The premise of the “educate the manager, educate the business” approach to security is the same as the “communication” idea except for the assumption that the right thing is just going to happen organically – That’s utter fantasy
Failure of Legislation • The legislative approach (what is being most widely attempted right now) relies on publicly identifying organizations that failed at stage #8 and hoping that organizations that are already at stage #7 are going to magically wind back the clock to stage #3 – Will always be seen as prohibitively expensive
Economic Models • A popular fad nowadays is “economic models” of security – Essentially the attempt to correctly place security in the value chain – This almost always results in security being given a high presumed value and low cost (a nice way of saying, “highly fudged”) • Even so, security is a “market failure”
Epic Failures • When failures occur, someone has to take the blame – Standard failure mode is management states “I take full responsibility” • …but someone else takes the fall • In US DOD gov’t space that is virtually always a contractor (because it’s only contractors that actually do anything) But let’s look closer at what’s happening...
The Middle Layer • According to Alan Paller: – Security has to enable business – In cases where failures occur it is discovered that technologists lied about how safe systems were • Reveals profound disconnect between what management thinks, and reality – This should not be news to most of you
The Middle Layer (cont) • My observation in return was that: – The technologists told the truth; it’s simply that management didn’t hear the truth – Management remembers what it asked for not what it heard in response – Result is a massive disconnect between management expectations and ground reality
The “Plan A” “Plan B” Effect • Management asks for “(something dumb) with perfect security” – Technology answers “it can’t be done” • Management then asks for “Plan B” – Continues shopping the idea until someone cooks up something that will mostly work
Expectation Level • The problem is that the expectation level does not get reset in this process – Management simply continues to forge ahead with the idea that “perfect security” remains part of the equation • Meanwhile there are memos from technologists that say (variously) “We can do it, but there are substantial risks…” (2.2 and 6.2)
The Space Shuttle Disasters • The quintessence of this kind of failure is described by Richard Feynman in his minority report about the Challenger disaster – Feynman was dead when the Columbia broke up, but the failure paradigm in the Columbia disaster was exactly the same • We consistently see disconnect between expectation and reality
Breaking the Cycle • What can we do? – Ensure maximum clarity at all parts of stage #2, #3, #4, #5 – Pre-allocate blame at stage #7 and #8 • Technical / responsible individuals must make sure to document that they issued warnings in stage #8 – And, if you actually want things to get better, the warnings must get high enough
Breaking the Cycle (summary) • Key phrases: – “We must re-assess the decision to…” – “The risk estimate of regarding (blank) is optimistic…” – “Continuing with (blank) represents additional investment in a risky decision…”
A Grim Future • The behaviors that I am describing are fundamental behaviors that are ingrained in human optimism – If I am correct, virtually all of the work that is currently being done to bring systems into compliance with regulations will represent wasted effort – Web2.0 rapid adoption includes the next tidal wave of bad ideas, and is already upon us
Understanding Failure as Complexity Increases • I have already encountered two forensic/response cases in which the client had no interest in actually figuring out what went wrong they simply wanted to “fix it” • Models of distributing and sharing risk make no sense when risk is “pick an number between 0% and 100%”
Summary • After 20 years working in information security I am convinced that the situation is not only beyond repair; it is getting worse • Have a nice day!

Recommandé

Brighttalk outage insurance- what you need to know - final
Brighttalk outage insurance- what you need to know - finalBrighttalk outage insurance- what you need to know - final
Brighttalk outage insurance- what you need to know - final
Andrew White
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - final
Andrew White
 
Brighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalBrighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - final
Andrew White
 
Carrot stick-consequences-app secdc-2010
Carrot stick-consequences-app secdc-2010Carrot stick-consequences-app secdc-2010
Carrot stick-consequences-app secdc-2010
orcus666
 
Bright talk running a cloud - final
Bright talk running a cloud - finalBright talk running a cloud - final
Bright talk running a cloud - final
Andrew White
 
Creating a Technology Disaster Plan
Creating a Technology Disaster PlanCreating a Technology Disaster Plan
Creating a Technology Disaster Plan
Legal Services National Technology Assistance Project (LSNTAP)
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
Evan Francen
 

Recommandé

Brighttalk outage insurance- what you need to know - final
Brighttalk outage insurance- what you need to know - finalBrighttalk outage insurance- what you need to know - final
Brighttalk outage insurance- what you need to know - final
Andrew White
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - final
Andrew White
 
Brighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalBrighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - final
Andrew White
 
Carrot stick-consequences-app secdc-2010
Carrot stick-consequences-app secdc-2010Carrot stick-consequences-app secdc-2010
Carrot stick-consequences-app secdc-2010
orcus666
 
Bright talk running a cloud - final
Bright talk running a cloud - finalBright talk running a cloud - final
Bright talk running a cloud - final
Andrew White
 
Creating a Technology Disaster Plan
Creating a Technology Disaster PlanCreating a Technology Disaster Plan
Creating a Technology Disaster Plan
Legal Services National Technology Assistance Project (LSNTAP)
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
Evan Francen
 
Big Data Berlin – Automating Decisions is the Next Frontier for Big Data
Big Data Berlin – Automating Decisions is the Next Frontier for Big DataBig Data Berlin – Automating Decisions is the Next Frontier for Big Data
Big Data Berlin – Automating Decisions is the Next Frontier for Big Data
Lars Trieloff
 
Brighttalk getting back on track - final
Brighttalk getting back on track - finalBrighttalk getting back on track - final
Brighttalk getting back on track - final
Andrew White
 
Covid 19: Understanding the context using systems thinking techniques webinar...
Covid 19: Understanding the context using systems thinking techniques webinar...Covid 19: Understanding the context using systems thinking techniques webinar...
Covid 19: Understanding the context using systems thinking techniques webinar...
Association for Project Management
 
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Lars Trieloff
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
 
Systems Concepts for Agile Practitioners
Systems Concepts for Agile PractitionersSystems Concepts for Agile Practitioners
Systems Concepts for Agile Practitioners
Roger Brown
 
Become an Exponential Organization, Change the World Faster
Become an Exponential Organization, Change the World FasterBecome an Exponential Organization, Change the World Faster
Become an Exponential Organization, Change the World Faster
Gary A. Bolles
 
Cybersecurity and liability your david willson
Cybersecurity and liability your david willsonCybersecurity and liability your david willson
Cybersecurity and liability your david willson
David Willson, Attorney, CISSP, Security +
 
The big-data revolution in healthcare
The big-data revolution in healthcareThe big-data revolution in healthcare
The big-data revolution in healthcare
Vaibhav Srivastav
 
Timelines and Prediction of Conscious Machines by Emerj AI Research
Timelines and Prediction of Conscious Machines by Emerj AI Research Timelines and Prediction of Conscious Machines by Emerj AI Research
Timelines and Prediction of Conscious Machines by Emerj AI Research
Emerj
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
Dana Gardner
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Jason Hong
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Dana Gardner
 
Tech Tips 2 Defeat Distraction NAG 2020
Tech Tips 2 Defeat Distraction NAG 2020Tech Tips 2 Defeat Distraction NAG 2020
Tech Tips 2 Defeat Distraction NAG 2020
Brian Housand
 
How To Develop A Company Disaster Plan
How To Develop A Company Disaster PlanHow To Develop A Company Disaster Plan
How To Develop A Company Disaster Plan
Jennifer H. Elder
 
Evolving it security Threats and Solutions
Evolving it security Threats and SolutionsEvolving it security Threats and Solutions
Evolving it security Threats and Solutions
University of Hertfordshire
 
COMPISSUES08 - Credibility of Technology
COMPISSUES08 - Credibility of TechnologyCOMPISSUES08 - Credibility of Technology
COMPISSUES08 - Credibility of Technology
Michael Heron
 
Challenges of remote working in P3M – identifying, understanding and options ...
Challenges of remote working in P3M – identifying, understanding and options ...Challenges of remote working in P3M – identifying, understanding and options ...
Challenges of remote working in P3M – identifying, understanding and options ...
Association for Project Management
 
Lean Security
Lean SecurityLean Security
Lean Security
SeniorStoryteller
 
Automated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data AmsterdamAutomated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data Amsterdam
Lars Trieloff
 
Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to Enterprise
Argyle Executive Forum
 
The BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecConThe BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecCon
Michael Gough
 

Contenu connexe

Tendances

Brighttalk getting back on track - final
Brighttalk getting back on track - finalBrighttalk getting back on track - final
Brighttalk getting back on track - final
Andrew White
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
 
Evolving it security Threats and Solutions
Evolving it security Threats and SolutionsEvolving it security Threats and Solutions
Evolving it security Threats and Solutions
University of Hertfordshire
 

Tendances (20)

Big Data Berlin – Automating Decisions is the Next Frontier for Big Data
Big Data Berlin – Automating Decisions is the Next Frontier for Big DataBig Data Berlin – Automating Decisions is the Next Frontier for Big Data
Big Data Berlin – Automating Decisions is the Next Frontier for Big Data
 
Brighttalk getting back on track - final
Brighttalk getting back on track - finalBrighttalk getting back on track - final
Brighttalk getting back on track - final
 
Covid 19: Understanding the context using systems thinking techniques webinar...
Covid 19: Understanding the context using systems thinking techniques webinar...Covid 19: Understanding the context using systems thinking techniques webinar...
Covid 19: Understanding the context using systems thinking techniques webinar...
 
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
 
Systems Concepts for Agile Practitioners
Systems Concepts for Agile PractitionersSystems Concepts for Agile Practitioners
Systems Concepts for Agile Practitioners
 
Become an Exponential Organization, Change the World Faster
Become an Exponential Organization, Change the World FasterBecome an Exponential Organization, Change the World Faster
Become an Exponential Organization, Change the World Faster
 
Cybersecurity and liability your david willson
Cybersecurity and liability your david willsonCybersecurity and liability your david willson
Cybersecurity and liability your david willson
 
The big-data revolution in healthcare
The big-data revolution in healthcareThe big-data revolution in healthcare
The big-data revolution in healthcare
 
Timelines and Prediction of Conscious Machines by Emerj AI Research
Timelines and Prediction of Conscious Machines by Emerj AI Research Timelines and Prediction of Conscious Machines by Emerj AI Research
Timelines and Prediction of Conscious Machines by Emerj AI Research
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
 
Tech Tips 2 Defeat Distraction NAG 2020
Tech Tips 2 Defeat Distraction NAG 2020Tech Tips 2 Defeat Distraction NAG 2020
Tech Tips 2 Defeat Distraction NAG 2020
 
How To Develop A Company Disaster Plan
How To Develop A Company Disaster PlanHow To Develop A Company Disaster Plan
How To Develop A Company Disaster Plan
 
Evolving it security Threats and Solutions
Evolving it security Threats and SolutionsEvolving it security Threats and Solutions
Evolving it security Threats and Solutions
 
COMPISSUES08 - Credibility of Technology
COMPISSUES08 - Credibility of TechnologyCOMPISSUES08 - Credibility of Technology
COMPISSUES08 - Credibility of Technology
 
Challenges of remote working in P3M – identifying, understanding and options ...
Challenges of remote working in P3M – identifying, understanding and options ...Challenges of remote working in P3M – identifying, understanding and options ...
Challenges of remote working in P3M – identifying, understanding and options ...
 
Lean Security
Lean SecurityLean Security
Lean Security
 
Automated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data AmsterdamAutomated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data Amsterdam
 

Similaire à Marcus Ranum on Bad Idea Zombies

Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose TutorialArchitecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
Will Gallego
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
EnergySec
 
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
RedZone Technologies
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
Karina Elise
 
20161109_Mahan_Brighttalk_Webinar_Final
20161109_Mahan_Brighttalk_Webinar_Final20161109_Mahan_Brighttalk_Webinar_Final
20161109_Mahan_Brighttalk_Webinar_Final
Phillip Mahan
 
What Makes a Good Police OfficerThe most honest and direct re.docx
What Makes a Good Police OfficerThe most honest and direct re.docxWhat Makes a Good Police OfficerThe most honest and direct re.docx
What Makes a Good Police OfficerThe most honest and direct re.docx
lillie234567
 

Similaire à Marcus Ranum on Bad Idea Zombies (20)

Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to Enterprise
 
The BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecConThe BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecCon
 
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose TutorialArchitecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced Analytics
 
Leadership In Crises Mode Asme Presentation
Leadership In Crises Mode Asme PresentationLeadership In Crises Mode Asme Presentation
Leadership In Crises Mode Asme Presentation
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
 
Baker - Foundation and Operational Learning.pdf
Baker - Foundation and Operational Learning.pdfBaker - Foundation and Operational Learning.pdf
Baker - Foundation and Operational Learning.pdf
 
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security Dollar
 
DeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSODeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSO
 
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016
 
20161109_Mahan_Brighttalk_Webinar_Final
20161109_Mahan_Brighttalk_Webinar_Final20161109_Mahan_Brighttalk_Webinar_Final
20161109_Mahan_Brighttalk_Webinar_Final
 
What Makes a Good Police OfficerThe most honest and direct re.docx
What Makes a Good Police OfficerThe most honest and direct re.docxWhat Makes a Good Police OfficerThe most honest and direct re.docx
What Makes a Good Police OfficerThe most honest and direct re.docx
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?
 
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
 

Plus de David Strom

Plus de David Strom (20)

Spark Twitter fails Mar2023
Spark Twitter fails Mar2023Spark Twitter fails Mar2023
Spark Twitter fails Mar2023
 
Getting Your First Cybersecurity Job
Getting Your First Cybersecurity JobGetting Your First Cybersecurity Job
Getting Your First Cybersecurity Job
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologies
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT security
 
Protecting your digital and online privacy
Protecting your digital and online privacyProtecting your digital and online privacy
Protecting your digital and online privacy
 
AI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsAI and cyber security: new directions, old fears
AI and cyber security: new directions, old fears
 
The legalities of hacking back
The legalities of hacking backThe legalities of hacking back
The legalities of hacking back
 
How to market your book in today's social media world
How to market your book in today's social media worldHow to market your book in today's social media world
How to market your book in today's social media world
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of Things
 
How to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersHow to make your mobile phone safe from hackers
How to make your mobile phone safe from hackers
 
Implications and response to large security breaches
Implications and response to large security breaches Implications and response to large security breaches
Implications and response to large security breaches
 
Using social networks to find your next job (2017)
Using social networks to find your next job (2017)Using social networks to find your next job (2017)
Using social networks to find your next job (2017)
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM Chaos
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter fails
 
How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computing
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better Support
 
Network security practice: then and now
Network security practice: then and nowNetwork security practice: then and now
Network security practice: then and now
 
Biggest startup mistakes
Biggest startup mistakesBiggest startup mistakes
Biggest startup mistakes
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Marcus Ranum on Bad Idea Zombies

  • 1. Anatomy of The Security Disaster Marcus J. Ranum (mjr@tenablesecurity.com) Tenable Network Security, Inc.
  • 2.
  • 3. The Security Disaster • What is the problem? – Dangerous stuff is being done by people who think it is being done safely – Their incomprehension of the danger encourages increased exposure (the “it hasn’t happened yet” effect) • We are at the point where cyberterror starts to become a legitimate fear
  • 4. The Future • “It's a problem for security people because their career depends on their ability to enable the business securely. We have had six years of "regulation-based job security" for the whiners. That era is coming to an end.” Alan Paller, SANS
  • 5. The Security Disaster • In other words, the problem is going to get worse • What is scary is the existing scope of the problem is already very broad; the current state of affairs has been gestating for 10+ years
  • 6. What Will We Do? (that will not work) • Spend our way out of the hole – Cost of doing it right exceeds cost of re- doing it – Currently an installed base of doing it wrong – Inertia (financial and technological) ...in other words: we’re already so deep into this that physics has taken over
  • 7. Do We Learn? • Do pro-active measures actually carry weight? • Disaster-and-patch is the current strategy
  • 8. Time Line of a Typical Disaster 1) Inception of bad idea 2) Identification as bad idea 3) Negotiation 4) Search for Plan B 5) Failure to re-adjust expectations 6) Initial failure conditions are noticed 7) Denial or kludging 8) Failure 2.2) Memos generated! 6.2) Memos generated! Opportunity for cover-up or conspiracy
  • 9. Time Line of a Typical Disaster (cont) 9) Hunt for the guilty 10) Finger Pointing 11) Memo Archaeology 12) Slaughter of the Innocents 13) Failure to learn REPEAT Memos from 2.2 and 6.2 resurface!
  • 10. Failure of Risk Management • The premise of the “risk management” approach to security is that good thinking happens at stage #3 – In fact, what happens is that the good thinking is largely undone by the time you get to stage #7 • Every organization that is performing “risk management” is currently in denial
  • 11. Failure of Communication • The premise of the “improved communication” approach to security is that good thinking happens at stage #2, #4, #6, and #7 – That’s simply expecting too much good thinking to happen
  • 12. Failure of Education • The premise of the “educate the manager, educate the business” approach to security is the same as the “communication” idea except for the assumption that the right thing is just going to happen organically – That’s utter fantasy
  • 13. Failure of Legislation • The legislative approach (what is being most widely attempted right now) relies on publicly identifying organizations that failed at stage #8 and hoping that organizations that are already at stage #7 are going to magically wind back the clock to stage #3 – Will always be seen as prohibitively expensive
  • 14. Economic Models • A popular fad nowadays is “economic models” of security – Essentially the attempt to correctly place security in the value chain – This almost always results in security being given a high presumed value and low cost (a nice way of saying, “highly fudged”) • Even so, security is a “market failure”
  • 15. Epic Failures • When failures occur, someone has to take the blame – Standard failure mode is management states “I take full responsibility” • …but someone else takes the fall • In US DOD gov’t space that is virtually always a contractor (because it’s only contractors that actually do anything) But let’s look closer at what’s happening...
  • 16. The Middle Layer • According to Alan Paller: – Security has to enable business – In cases where failures occur it is discovered that technologists lied about how safe systems were • Reveals profound disconnect between what management thinks, and reality – This should not be news to most of you
  • 17. The Middle Layer (cont) • My observation in return was that: – The technologists told the truth; it’s simply that management didn’t hear the truth – Management remembers what it asked for not what it heard in response – Result is a massive disconnect between management expectations and ground reality
  • 18. The “Plan A” “Plan B” Effect • Management asks for “(something dumb) with perfect security” – Technology answers “it can’t be done” • Management then asks for “Plan B” – Continues shopping the idea until someone cooks up something that will mostly work
  • 19. Expectation Level • The problem is that the expectation level does not get reset in this process – Management simply continues to forge ahead with the idea that “perfect security” remains part of the equation • Meanwhile there are memos from technologists that say (variously) “We can do it, but there are substantial risks…” (2.2 and 6.2)
  • 20. The Space Shuttle Disasters • The quintessence of this kind of failure is described by Richard Feynman in his minority report about the Challenger disaster – Feynman was dead when the Columbia broke up, but the failure paradigm in the Columbia disaster was exactly the same • We consistently see disconnect between expectation and reality
  • 21. Breaking the Cycle • What can we do? – Ensure maximum clarity at all parts of stage #2, #3, #4, #5 – Pre-allocate blame at stage #7 and #8 • Technical / responsible individuals must make sure to document that they issued warnings in stage #8 – And, if you actually want things to get better, the warnings must get high enough
  • 22. Breaking the Cycle (summary) • Key phrases: – “We must re-assess the decision to…” – “The risk estimate of regarding (blank) is optimistic…” – “Continuing with (blank) represents additional investment in a risky decision…”
  • 23. A Grim Future • The behaviors that I am describing are fundamental behaviors that are ingrained in human optimism – If I am correct, virtually all of the work that is currently being done to bring systems into compliance with regulations will represent wasted effort – Web2.0 rapid adoption includes the next tidal wave of bad ideas, and is already upon us
  • 24. Understanding Failure as Complexity Increases • I have already encountered two forensic/response cases in which the client had no interest in actually figuring out what went wrong they simply wanted to “fix it” • Models of distributing and sharing risk make no sense when risk is “pick an number between 0% and 100%”
  • 25. Summary • After 20 years working in information security I am convinced that the situation is not only beyond repair; it is getting worse • Have a nice day!