Recommended
More Related Content
Viewers also liked
Viewers also liked (14)
Similar to BSides NYC Wysopal Keynote
Similar to BSides NYC Wysopal Keynote (20)
Recently uploaded
Recently uploaded (20)
BSides NYC Wysopal Keynote
- 1. War, Accidents, or Disease? Keynote Chris Wysopal January 16, 2016
- 2. 2
- 3. The current government paradigm • Threat information • Attack signatures and Attack sources • Collected by Govt. and Industry • Shared in secret • BONUS: Maybe with your personal data too. 3
- 4. Why didn’t we follow these models? 4
- 8. NTSB Incident Reports • Designed to learn from incidents and Improve • Root cause analysis • Recommendations • Public Investigation for serious incidents • Follows sound engineering principle of learning from failures.
- 9. 9 Outcome is Safety Recommendations and Safety Alerts “Recommendations are sent to the organization best able to address the safety issue, whether it is public or private.”
- 15. Is the InfoSec paradigm closest to safety? Alex Stamos comments, “A secure system is safe if it is operated correctly. A safe system is safe if it is operated.” I’ll add the unspoken, “even in the presence of an attacker.”
- 17. If we use war as a paradigm we will learn from and operate like the military.
- 19. Secrecy keeps markets from functioning Transparency can unlock market dysfunction.
- 20. FTC wins case against Wyndham Hotels Cybersecurity Disclosure Act of 2015
Editor's Notes
- Do we want a military and intelligence community vision of information sharing? Or do we treat information risk as a health and safety issue
- CDC - Mandatory Reporting of Infectious Diseases by Clinicians Under the OSHA Recordkeeping regulation (29 CFR 1904), covered employers are required to prepare and maintain records of serious occupational injuries and illnesses, using the OSHA 300 Log. This information is important for employers, workers and OSHA in evaluating the safety of a workplace, understanding industry hazards, and implementing worker protections to reduce and eliminate hazards. Dangerous Products (Section 15) - Manufacturers, importers, distributors, and retailers are required to report to CPSC under Section 15 (b) of the Consumer Product Safety Act (CPSA) within 24 hours of obtaining information which reasonably supports the conclusion that a product does not comply with a safety rule issued under the CPSA, or contains a defect which could create a substantial risk of injury to the public or presents an unreasonable risk of serious injury or death, 15 U.S.C. § 2064(b). Companies can use our on-line form to report a potentially defective or hazardous product. NTSB Federal regulations require operators to notify the NTSB immediately of aviation accidents and certain incidents. An accident is defined as an occurrence associated with the operation of an aircraft that takes place between the time any person boards the aircraft with the intention of flight and all such persons have disembarked, and in which any person suffers death or serious injury, or in which the aircraft receives substantial damage. An incident is an occurrence other than an accident that affects or could affect the safety of operations. (See 49 CFR 830.)
- First commercial air traffic in the 1920’s. NTSB created in 1938. About 20 years after commercial air transport begins formal incident investigation begins. We are more about 23 years into the internet era and incident investigation is fragmented.
- Safety Recommendations Safety recommendations are issued by the NTSB following the investigation of transportation accidents and the completion of safety studies. Recommendations usually address a specific issue uncovered during an investigation or study and specify how to correct the situation. Letters containing the recommendations are sent to the organization best able to address the safety issue, whether it is public or private. Learn More > Safety Alerts Take action to improve your safety and the safety of your family and friends by following the suggestions in these NTSB Safety Alerts. NTSB Safety Alerts provide safety information you can use, and urge you to encourage lawmakers to improve safety at the State level.
- Is getting Conficker in 2016 an attack or an accident or is it like catching a disease?
- Aren’t most security incidents closer to getting Cholera than getting attacked. They are incidents of opportunity. Dan Geer says to look at systems as an ecosystem where organisms survive in an available niche. A vulnerable system is a niche
- Aren’t most security incidents closer to getting Cholera than getting attacked. They are incidents of opportunity. Dan Geer says to look at systems as an ecosystem where organisms survive in an available niche. A vulnerable system is a niche. The organism might consume your resources, algae in a pond, locusts eating your crops, cholera might kill you. These organisms are looking out for them selves but they might harm you.
- An unsafe system when used as it is intended will have bad consequences. Creating heat around a flammable object might cause a fire if it isn’t done safely. Exchanging data on the internet might lead to a compromised system if not done safely.
- Surveillance state. Centralized governmental power over information security.
- Public companies would need to disclose cybersecurity expertise at board level in SEC docs If they can’t they have to disclose how cyber risk is governed and why what they are doing is OK. These help transparancy and can unlock market forces of liability and insurance.
- Why are consumer of software asking this question? We are starting to see it in enterprises, Financial Service.