Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mortman/Hutton Security B-Sides Presentation

2,679 views

Published on

The presentation Mortman & Hutton gave at Security B-Sides in Las Vegas as well as our Black Hat presentation mixed in.

More at http://www.newschoolsecurity.com

Published in: Technology, Business
  • Be the first to comment

Mortman/Hutton Security B-Sides Presentation

  1. 1. Challenging the Epistemological Anarchist to Escape our Dark Age The Shep Pettibone 12” Remix David Mortman Alex Hutton
  2. 2. Agreed: Data is good
  3. 3. Agreed?
  4. 4. • “Risk management inputs are estimates and the results are therefore questionable • Risk management attempts to predict the future; that is hard • Risk management is based on backward-looking statistics, which does not make sense in an environment where you’re up against a creative attacker These are the reasons I reject Risk Management.” - a well known Security RockStar
  5. 5. • Risk management inputs are estimates and the results are therefore questionable • All measurements are estimates. We’re just quibbling about the amount of uncertainty.
  6. 6. • Risk management inputs are estimates and the results are therefore questionable • All measurements are estimates. We’re just quibbling about the amount of uncertainty. • Risk management attempts to predict the future; that is hard • This simplifies information theory. Risk Management only describes certainty (Bayesian - “belief”) about a current state of nature in order to make decisions. • Are climate studies “science”? If so, then how is this different than the global warming “debate”?
  7. 7. • Risk management inputs are estimates and the results are therefore questionable • All measurements are estimates. We’re just quibbling about the amount of uncertainty. • Risk management attempts to predict the future; that is hard • This simplifies information theory. Risk Management only describes certainty (Bayesian - “belief”) about a current state of nature in order to make decisions. • Are climate studies “science”? If so, then how is this different than the global warming “debate”? • Risk management is based on backward-looking statistics, which does not make sense in an environment where you’re up against a creative attacker • This is just silly. It’s saying the past is non-informative
  8. 8. “These are the reasons I reject Risk Management.”
  9. 9. “These are the reasons I reject Risk Management.” Rejection in favor of what, exactly?
  10. 10. Epistemological Anarchy Rain Dances and Astrology are just as valid as Biology and Physics
  11. 11. Epistemological Anarchy The rejection of an ability to derive a State of Knowledge
  12. 12. Meet The Rev. Thomas Bayes and E.T. Jaynes
  13. 13. Bayesian Rationalism There is no certainty, but degrees of certainty that create a state of probable knowledge
  14. 14. The search for Truth aside, can we acquire a “body of knowledge”?
  15. 15. Kuhn’s Protoscience A stage in the development of a science that is described by: • somewhat random fact gathering (mainly of readily accessible data) • a “morass” of interesting, trivial, irrelevant observations • A variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering
  16. 16. What is required To develop a “body of knowledge”, a social science for security & risk management?
  17. 17. Loss Landscape Threat Landscape risk security / state of vulnerability Asset Landscape Controls Landscape
  18. 18. capability to manage Loss Landscape Threat Landscape risk management security / state of vulnerability Asset Landscape Controls Landscape
  19. 19. To develop a “body of knowledge”, a social science for security & risk management? Loss Landscape Economics, Behavioral Economics, Security, Management Science, Probability Theory Threat Landscape Behavioral Economics, Probability Theory risk Asset Landscape Management Science, Probability Theory Controls Landscape Management Science, Probability Theory, Control Theory
  20. 20. To develop a “body of knowledge”, a social science for security & risk management? Capability to Manage Decision Theory, Management Science, Probability Theory Loss Landscape Economics, Behavioral Economics, Security, Management Science, Probability Theory Threat Landscape Behavioral Economics, Probability Theory risk Asset Landscape Management Science, Probability Theory Controls Landscape Management Science, Probability Theory, Control Theory
  21. 21. What is required To develop a “body of knowledge”, a social science for security & risk management? - Information & Theories (Models) About the Risk Landscape - Data. At first applicable within context provided by those theories, but data tends to stand by itself for future theories
  22. 22. Models (Theories) Don’t have to be perfect, just ego-less
  23. 23. The Mortman/Hutton Model for Exploit Development/Use
  24. 24. A Vulnerability List Isn’t Enough
  25. 25. The Sexiest Vuln Isn’t The One You Should Be Worrying About.
  26. 26. Patch availability prior to breach < 1 month 0% 1-3 months 4% 3-6 months 6% 6-12 months 16% >1 year 74%
  27. 27. What About CVSS?
  28. 28. The Mortman/Hutton Model for Expectation of Exploit Use
  29. 29. example: Microsoft Security Advisory (972890)
  30. 30. The Mortman/Hutton Model Taxonomy
  31. 31. Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Expected Code Value of Dissemination Ability To Systems Market Compensate Penetration (inverse) Ease of Use Nature of Access Resources Information Discovering Expectation Individual Ability To Ability To Apply Expected Repair Controls Value of Expected Systems Volume Market (fractal) Return Computing Bandwidth Power = Actor performs Risk Assessment
  32. 32. Saturation of Vulnerable Technology Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Ability To Market Compensate Penetration (inverse) Ability To Ability To Repair Apply Controls = Actor performs Risk Assessment
  33. 33. Exploit Utility Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Expected Code Value of Dissemination Systems Ease of Use Nature of Access Resources Information Discovering Expectation Individual Expected Value of Expected Systems Volume Market (fractal) Return Computing Bandwidth Power = Actor performs Risk Assessment
  34. 34. Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Expected Code Value of Dissemination Ability To Systems Market Compensate Penetration (inverse) Ease of Use Nature of Access Resources Information Discovering Expectation Individual Ability To Ability To Apply Expected Repair Controls Value of Expected Systems Volume Market (fractal) Return Computing Bandwidth Power = Actor performs Risk Assessment
  35. 35. Model lives & will be maintained & information can be shared at: The New School of Information Security Website http://www.newschoolsecurity.com
  36. 36. Question & Answer

×