Security Is Hard.
Mike Murray
Managing Partner
MAD Security / Hacker Academy
mmurray@hackeracademy.com
Twitter: @mmurray
©...
Information Security is Constantly Evolving
No I mean REALLY evolving.
Innovators
Early Adopters
Early Majority
Late Majority
Laggards
Vulnerability Distribution
So what?

11
Human /
Organization

Network

Service /
Server
Datalossdb.org Incidents over Time
900

200,000,000

Number of Incidents

800

180,000,000

Total Records
160,000,000

700...
Human /
Organization

Network

Service /
Server

Client

Application
Data Extrusion

APT
Application
Web Application
Whitelisting
Security Phishing
Mobile Apps
Vulnerability Management
Databa...
Security
Training

Role-Based Security

End User “Awareness”
Security Awareness

Least Technical

Management

Audit

Architecture

Operations

Hacker

Forensics/I
R

Most Technical
The Incentives are Wrong.
What do we do about it?
Skills, Not Certifications
Systems Thinking
Just-In-Time (JIT)
Education
Constantly Evolving Education
• Materials need to evolve as our
industry does
• Educators need to be rewriting
courses on ...
Education needs to Change!
Improve your HUMANS…

Improve your

SECURITY.
Security is Hard
Security is Hard
Security is Hard
Security is Hard
Security is Hard
Security is Hard
Security is Hard
Security is Hard
Upcoming SlideShare
Loading in …5
×

Security is Hard

366 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
366
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • History lesson Explain the context quickly, then talk about why most of the attacks are against them (either client or human). Then, talk about how important what we’re doing is.(Bonus question: What’s next? -> Network, IPv6)Hit the defense in depth message here.
  •  There are 480 data breaches in 2009.Source: http://datalossdb.org/statistics?timeframe=all_timeGartner Says the Cost of a Sensitive Data Breach Will Increase 20 Percent per Year Through 2009Analysts Examine Security, Risk and Compliance Threats During Gartner Symposium/ITxpo 2007, October 7-12, in OrlandoFinancially motivated targeted attacks are becoming more prevalent and new vulnerabilities continue to be reported, but 90 percent of these attacks can be avoided without requiring any increase in security spending, according to Gartner, Inc. However, ensuring one’s enterprise is not part of the 10 percent requires implementing security processes to monitor and manage vulnerabilities and provide strong identity and access management capabilities.Gartner analysts discussed the critical technology and organizational “dos and don’ts” for successful enterprisewide security at Gartner Symposium/ITxpo 2007, which is taking place here through October 12.“The biggest attack risk to enterprises comes from targeted attacks,” said John Pescatore, vice president and distinguished analyst for Gartner. “In addition, phishing and identity theft attacks have caused the rise of ‘credentialed’ attacks, in which the attacker uses the credentials of a legitimate user.”“Malicious software (malware) attacks also allow internal executables to be used to forward information to an external attacker,” Mr. Pescatore said. “Being aware of ‘inside out’ communications and being able to block those as effectively as ‘outside in’ is becoming increasingly important. Security strategies must reduce the cost of dealing with mass attacks to free up investment and personnel resources to evolve capabilities for dealing with these more-complex targeted attacks.”
  • History lesson Explain the context quickly, then talk about why most of the attacks are against them (either client or human). Then, talk about how important what we’re doing is.(Bonus question: What’s next? -> Network, IPv6)Hit the defense in depth message here.
  • Talk about the certification bodies’ business model
  • This is why the CASP is awesome – questions actually focus on making people do stuff
  • The importance of repeatable skills - Our focus on certifications brings us a focus on perishable skills
  • Just in time (JIT) is a production strategy that strives to improve a business return on investment by reducing in-process inventory and associated carrying costs.
  • This is why the CASP is awesome – questions actually focus on making people do stuff
  • Luckily, education is changing…
  • Improve your humans.Improve your security.Choose MAD Security. Thank you.[end of presentation]
  • Security is Hard

    1. 1. Security Is Hard. Mike Murray Managing Partner MAD Security / Hacker Academy mmurray@hackeracademy.com Twitter: @mmurray © 2010 – MAD Security, LLC All rights reserved
    2. 2. Information Security is Constantly Evolving No I mean REALLY evolving.
    3. 3. Innovators
    4. 4. Early Adopters
    5. 5. Early Majority
    6. 6. Late Majority
    7. 7. Laggards
    8. 8. Vulnerability Distribution
    9. 9. So what? 11
    10. 10. Human / Organization Network Service / Server
    11. 11. Datalossdb.org Incidents over Time 900 200,000,000 Number of Incidents 800 180,000,000 Total Records 160,000,000 700 140,000,000 600 120,000,000 500 100,000,000 400 80,000,000 300 60,000,000 200 40,000,000 100 20,000,000 0 0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
    12. 12. Human / Organization Network Service / Server Client Application
    13. 13. Data Extrusion APT Application Web Application Whitelisting Security Phishing Mobile Apps Vulnerability Management Database Security IDS IPS Endpoint Security Spear Phishing GRC Secure Coding WiFi Security / SDLC BYOD
    14. 14. Security Training Role-Based Security End User “Awareness”
    15. 15. Security Awareness Least Technical Management Audit Architecture Operations Hacker Forensics/I R Most Technical
    16. 16. The Incentives are Wrong.
    17. 17. What do we do about it?
    18. 18. Skills, Not Certifications
    19. 19. Systems Thinking
    20. 20. Just-In-Time (JIT) Education
    21. 21. Constantly Evolving Education • Materials need to evolve as our industry does • Educators need to be rewriting courses on a monthly timeframe, not a yearly or every 3 year timeframe.
    22. 22. Education needs to Change!
    23. 23. Improve your HUMANS… Improve your SECURITY.

    ×