SlideShare a Scribd company logo

Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017

A
adamdeja

As the air gap between our daily lives and the Internet continues to shrink the security of our personal data and devices grows in importance. We are facing the daily threat of putting 2000s era computers bolted to toasters online while expecting them to defend against 2017 capable attackers. This talk will explore the continuing trend of IoT, discuss how we’ve been here before, and layout strategies for keeping pace with attackers in the future. This talk will focus on enumerating this risk, discuss the challenges involved, and explore solutions. First, we will examine this history of how we got here, and what it means to say “security is a snapshot in time.” We then introduce the idea of shared ken – the range of one’s knowledge or sight – and how it impacts security. Third, we discuss the influence of data as code, the meta game, and secrecy as a way of mastering impact and ken. This talk will allow attendees to walk away with A holistic view of the history of computer security and how it impacts them today The importance of extending the range of collective vision to reduce blind spots Practical advice for BSiders to grow their mindset and improve their impact Adam is a founding partner and Chief Executive Officer at Deja vu Security. He is dedicated to the leadership and relentless innovation in Deja’s products and services. Previously he has lead teams conducting application and hardware penetration tests for the Fortune 500 technology firms. Adam is a contributing author to multiple security books, benchmarks, tools, and DARPA research projects. Adam holds a degree in Computer Science and a Masters from Carnegie Mellon University in Information Networking.

Technology
1 of 67
Download to read offline
SECURITY IS A SNAPSHOT IN TIME - SO HOW DO WE KEEP UP? Adam Cecchetti Deja vu Security
Hello!  Adam Cecchetti  Deja vu Security : Founder, CEO  Peach Tech : Co-Founder, Chairman  CMU : M.S. Information Networking
Deja vu Security  Seattle based operating since 2010  100s of App and Hardware assessments  Web, IoT, Cryptocurrency, Infrastructure, etc  Training of developers, engineers, and teams to better understand modern threats.
TIME IS UNDEFEATED
Time Erodes All Things
A Sense of Deja vu
Deja vu. Deja vu. Deja vu. Deja vu. Networks Applications Web Cloud Internet of Things (IoT) “The tubes are on fire!” “The desktop is on fire!” “The world is on fire!” “The sky is on fire!” “Your pants are on fire!”
The Problem is Big  The first step to recovery is the hardest.  Awareness is good, but it doesn’t cure cancer.  Security issues must be found they can’t be created.  Inherited, passed down the software genepool.  Plentiful, defense helps but we kick over more rocks.  Random, the future is asymmetrically secured.  Polymorphic, the tools we use to build systems are security issues.  We are going to have to start thinking differently.
Not That Differently
Tick, Tock.  Data movement is a cadence to how we’ve built things.  Echoes, the ghosts of usage models past.  We leave data and code everywhere users go.  User data replicates every decade or so. t Centralized Distributed 70’s 90’s 2010 2030 80’s 00’s 2020 Mainframe Web/Email Cloud Internet of Me PC Social Networks IoT
Security is a Snapshot in Time  Security is a snapshot in time.  Tomorrow is a new day full of drama on Twitter!  Today is a great day to deprecate a system.  Move user data to a safer and better place.  Hackers are unstoppable in 1995.  The closer the temporal snapshot to 1995 the better for hackers.  The person building the system decides the snapshot that is taken.  Protocols from 1995  Libraries from 2006  Binaries from 2014  A Linux build from 2016
199X  No memory defense (NX, ASLR, StackCookies,etc)  No patching system or focus on security patches  Little to no security awareness  Default passwords, services, attack surface  Closer the clock is to 1995 the stronger the hackers
You Wouldn’t March This Army Today
You Wouldn’t March This Army in 2117
Snapshot 1: 2002 vs 2017 Hackers
Snapshot 2 : 1995 vs 2017 Hackers
Computers are Awesome!  They don’t LET you do anything.  They DO anything!  And only things you tell them  CPU: AMMA that’s about Machine code to Microcode  Good luck with the rest! That’s not what I do!  General computation is good however it means:  No reliability, no availability, no security.  This includes anything we build.  Complexity leads to side effects and exploitation is programing with side effects.
Memory Leak in /dev/litterbox?!
We Are at an Odd Juncture  Mobile is eating all markets just like the PC did.  User habits are changing, again.  Web ate the rest of the world.  User data flows in new directions  And lingers in the eddies.  And for those of us left that still care about general computation we have to run unknown kernel and firmware exploits to program our phones.
Jail Broken
“Stop Putting Things on the Internet”  You might as well tell water to stop being wet.  It is free to put another computer on the Internet  Putting a Pentium Pro in anything is free  In 4 years putting an iPhone 1 in everything is free. Why?  Inverse of Moore’s law
Moore’s Law # Transistors 2x18M 0 1E+09 2E+09 3E+09 4E+09 5E+09 6E+09 7E+09 8E+09 1971 1972 1974 1976 1979 1982 1985 1989 1991 1995 1997 1999 2000 2000 2004 2004 2005 2006 2008 2010 2014 2016 Transistors vs Year
Inverse of Moore’s Law Every 18 months the cost of a transistor halves.
Free Pentium Pro for Every Dishwasher $0.00 $200.00 $400.00 $600.00 $800.00 $1,000.00 $1,200.00 1995 1997 1998 2000 2001 2003 2004 2006 2007 2009 2010 2012 2013 2015 2016 2018 2019 2021 2022 Inverse of Moore's Law Putting a $1000 Pentium from 1995 in a dishwasher is free, today and every day in the future.
Everything is an iPhone in the near future. $0 $100 $200 $300 $400 $500 $600 2007 2009 2010 2012 2013 2015 2016 2018 2019 2021 2022 iPhone Adding a 1st Gen iPhone worth of transistors to everything: $4 in 2018, free in 2022 Phrased another way adding Wifi, GSM, Bluetooth, GPU, CPU, storage, & sound to everything is free in 2022.
The Internet Finally Showed Up!  The amount of air gap between our lives and the Internet is shrinking daily.  Soon it will be gone. Good Riddance! Plug me in!  Unless you have decided to live in a cave.  And in another tick tock there’s still a chance it will have IP enabled bat guano.  Technology is awesome!  In 5 years my self driving car will live stream.  Localized live traffic video broadcasting and viewing is going to be a thing.  There are going to be people sitting in traffic watching other people sit in traffic around the world.
Live From the I5 Parking Lot…
Be Still My Beating Heart  The Internet of Me is coming soon  I can’t wait until my heart has an IP address  And firmware updates  And an app store to monetize!  Cardio Trainer+ 4.0  Now with Twitter Integration!  Cardio Trainer+ 4.0.1  Pushed a patch as some users were excessively twitching while Tweeting.  Move fast and break things is not what I want for IP addressable organs.
Everybody Bugs  Bugs happen.  They happen to the best.  They happen to the worst.  Imperfection is the proof of life and existence.  Mistakes are proof you actually did something.  Keep building a better future one mistake at a time
How to Lose Normal People
Start with Details  “The buffer can overflow causing a corruption of the pointer which in turn is referenced by the vtable to cause code to jump to a known location as a result of ASLR being not compiled into a supporting DLL”  “The password is P@ssw0rd!”  “User A can access the details of User B”
CVE-2017 – Critical Bass Overflow
How to Get Things Flowing
Helping People Understand w/Impact  The user’s bank account can be drained.  One person cares.  The company can no longer perform transactions.  The entire company cares.  The car performs a J-turn at 60 mph during rush hour  1 news cycle.  The planes crashes  2 news cycles, 4 if they can’t find the plane.  The pacemaker stops and kills the user.  2 Federal Agencies + n pacemaker users care.  The power plant explodes.  People care until the lights come back on.
In an Age of Infinite Scroll
“Hacked a what? Oh, right.”
Ken  Ken /ken/ noun  “one's range of knowledge or sight”  “know”  How far you see.  How wide or narrow are you focused.  How much you understand.  How far someone else can see, focus, and understand.
Ken
Ken : My Ken
Ken : Your Ken
Ken : Our Ken
Ken  Their Ken: I need to move 14,000 planes a day with 300 people in them each or the global economy stops.  My Ken: Planes can move in ways you don’t intend if you connect them to the Internet, might even crash.  Their Ken: Customers don’t like to crash.  My Ken: Less planes move if they crash.  Our Ken: Lets make new planes that are easier to move and safer.
Ken  Accepting WE > I  Knowing the range of my knowledge and vision enables me to spend our time better.  Knowing how to better understand the range of another’s vision helps us get to shared impact faster.  Then we can start sharing details.
Testing for Echo
Test for Echo  You have lost if:  All you are hearing is your own words come back.  Things you already know.  Shared exchange of ken is shared extension.  In turn it is shared vulnerability.  Sustained echo is at best rapid construction of a chamber.  On a more than decade time scale it is slow death.
Details: Our Three Wins  Firewalls  Encryption  Two Factor Authentication
Impact: Three Extensions of Ken  Firewalls  I don’t want to run Ethernet cable in my house.  Wifi + Firewall = Win!  Encryption  I can’t make it to the bank or store today.  I need to work from home.  Commerce from home + encrypted tunnel = Win!  Two Factor Authentication  I don’t want to re-grind my character.  World of Warcraft = Win!
Ken: When Have We Won?  We’ve won the same way everyone else has.  When we’ve made someone’s life better they adopted a technology.  It happened to be more secure because we spent years working on the details.  If we want to get pedantic we used Trojan horses to backdoor security into people’s lives.  Applying security to a shift in user behavior.  This is better!  We defined that part of being better was more secure!
Ken: The users  Want to do the thing and will always want to do the thing.  Help the user keep doing the thing they want to do.
So how do we keep up?  Details  Impact  Ken
Details: Get to Work
Bug: #1 Data as Code  What do Cross Site Scripting, SQL Injection, and Buffer Overflows all have in common?  They are all data being interpreted as code.  Any place that user or machine controlled data is being used, interpreted, parsed; a security issue awaits.  This is big enough to master that you can spend multiple lifetimes right here.  We’ve actually started to make steps towards fixing this problem in some places.
Bug: #2 Gamers are Going to Game  Logical Issues require someone to game the system  Must try and understand all the unexpected behavior of the logic of the system.  Few good ways of automated testing here  The Meta Game  Attackers will continue to go for the weakest link  Hint: It’s in 1995  Unless the time vs. reward scenario is high  or the motivation vs. reward scenario is super high
Bug: #3 The Secret Isn’t Secret  Password1!  Upper Lower, Numeric, Special!  Secure by most IT and Web policy!  “ Or ‘1’=‘1’; --  Upper, Lower, Numeric, Special!  No key words!  16 characters!  Secure!  If not bad word jumbles then bits generated by a machine given back to a machine!
Bug:#4 The thing is in the wrong place  What is this?  Wait, why why is this here?  This shouldn’t be here!  OMG WHY IS THIS HERE  System, person, information in the wrong place.  Sensitive data management  Asset management  Physical Pen Tests  Etc
To Master Impact  See the system as a graph of lists sorted by time.  Know what matters in the system.  Use the details to break the system.  When the system will not break change the game.
Impact: Master The Graph
Impact: Master The Graph  Seeing the system as a graph allows direct access to what is most impactful for the system.
Impact: Master the Clock
To Master Ken  Know yourself and share ideas and creations.  Ask to know and understand others.  Use impacts to connect yourself to others faster.  Seek the patterns that allow you to extend your vision and knowledge.  Use details to demonstrate impacts  Never start with details
To Master Ken  In cooperation:  Use your ken to help others see what they cannot.  Ask to be shown what you cannot see.  In conflict:  Find the blind spots.  Where someone is blind they cannot defend.
Mastering Ken
Ken: Test for Echo  Step out of the echo chamber from time to time.  Find people who have problems in different industries you’ll never have.  Listen to them.  See how much you can share, but more importantly see what comes back when you do.
So How To Keep Up?  Understand what Snapshot you need to take (Ken) and how often you need to take it. (Impact) Then start to secure it by building tomorrow (Details).  Let the past go when you can.  Pull out the oldest versions when you can  Build a better tomorrow and ask people to help you convince others to adopt it.  Ask yourself do you want to keep clawing away from 1995 or start building a better 2020?
Takeaways  Security is a snapshot in time  That snapshot is part ken, impact, and details.  Building a better tomorrow can build a more secure tomorrow.  Building a better tomorrow requires more than details and impact.  It requires understanding of your own ken to start.  I hope this talk has extended yours.
Thank You @adamcecc

Recommended

Hushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoHushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for Echo
Deja vu Security
 
Episode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSEpisode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNS
Contrast Security
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
Dana Gardner
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019
Aaron Rinehart
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020
Aaron Rinehart
 
Networks for An Infinite Service Future
Networks for An Infinite Service FutureNetworks for An Infinite Service Future
Networks for An Infinite Service Future
University of Hertfordshire
 

Recommended

Hushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoHushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for Echo
Deja vu Security
 
Episode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSEpisode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNS
Contrast Security
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
Dana Gardner
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019
Aaron Rinehart
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020
Aaron Rinehart
 
Networks for An Infinite Service Future
Networks for An Infinite Service FutureNetworks for An Infinite Service Future
Networks for An Infinite Service Future
University of Hertfordshire
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
Jeff Zahn
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
Ori Pekelman
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
Hackfest Communication
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
Dan Kaminsky
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 Security
JP Bourget
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
Greg Stromire
 
Security
SecuritySecurity
Security
Bob Cherry
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
vicenteDiaz_KL
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Vlad Styran
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
Ori Pekelman
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
Positive Hack Days
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
khalavak
 
Safecrossroads ep01
Safecrossroads ep01Safecrossroads ep01
Safecrossroads ep01
simpletonsafe
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!
Frode Hommedal
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
EnergySec
 
Pc magazine may 2016
Pc magazine may 2016Pc magazine may 2016
Pc magazine may 2016
Safrudin S
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
Service2Media
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
Akiumi Hasegawa
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped future
Michael Renner
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 

More Related Content

Similar to Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
Jeff Zahn
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
Ori Pekelman
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
Hackfest Communication
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
Dan Kaminsky
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 Security
JP Bourget
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
Greg Stromire
 
Security
SecuritySecurity
Security
Bob Cherry
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
vicenteDiaz_KL
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Vlad Styran
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
Ori Pekelman
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
Positive Hack Days
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
khalavak
 
Safecrossroads ep01
Safecrossroads ep01Safecrossroads ep01
Safecrossroads ep01
simpletonsafe
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!
Frode Hommedal
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
EnergySec
 
Pc magazine may 2016
Pc magazine may 2016Pc magazine may 2016
Pc magazine may 2016
Safrudin S
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
Service2Media
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
Akiumi Hasegawa
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped future
Michael Renner
 

Similar to Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017 (20)

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 Security
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Security
SecuritySecurity
Security
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
 
Safecrossroads ep01
Safecrossroads ep01Safecrossroads ep01
Safecrossroads ep01
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Pc magazine may 2016
Pc magazine may 2016Pc magazine may 2016
Pc magazine may 2016
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped future
 

Recently uploaded

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 

Recently uploaded (20)

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 

Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017

  • 1. SECURITY IS A SNAPSHOT IN TIME - SO HOW DO WE KEEP UP? Adam Cecchetti Deja vu Security
  • 2. Hello!  Adam Cecchetti  Deja vu Security : Founder, CEO  Peach Tech : Co-Founder, Chairman  CMU : M.S. Information Networking
  • 3. Deja vu Security  Seattle based operating since 2010  100s of App and Hardware assessments  Web, IoT, Cryptocurrency, Infrastructure, etc  Training of developers, engineers, and teams to better understand modern threats.
  • 6. A Sense of Deja vu
  • 7. Deja vu. Deja vu. Deja vu. Deja vu. Networks Applications Web Cloud Internet of Things (IoT) “The tubes are on fire!” “The desktop is on fire!” “The world is on fire!” “The sky is on fire!” “Your pants are on fire!”
  • 8. The Problem is Big  The first step to recovery is the hardest.  Awareness is good, but it doesn’t cure cancer.  Security issues must be found they can’t be created.  Inherited, passed down the software genepool.  Plentiful, defense helps but we kick over more rocks.  Random, the future is asymmetrically secured.  Polymorphic, the tools we use to build systems are security issues.  We are going to have to start thinking differently.
  • 10. Tick, Tock.  Data movement is a cadence to how we’ve built things.  Echoes, the ghosts of usage models past.  We leave data and code everywhere users go.  User data replicates every decade or so. t Centralized Distributed 70’s 90’s 2010 2030 80’s 00’s 2020 Mainframe Web/Email Cloud Internet of Me PC Social Networks IoT
  • 11. Security is a Snapshot in Time  Security is a snapshot in time.  Tomorrow is a new day full of drama on Twitter!  Today is a great day to deprecate a system.  Move user data to a safer and better place.  Hackers are unstoppable in 1995.  The closer the temporal snapshot to 1995 the better for hackers.  The person building the system decides the snapshot that is taken.  Protocols from 1995  Libraries from 2006  Binaries from 2014  A Linux build from 2016
  • 12. 199X  No memory defense (NX, ASLR, StackCookies,etc)  No patching system or focus on security patches  Little to no security awareness  Default passwords, services, attack surface  Closer the clock is to 1995 the stronger the hackers
  • 13. You Wouldn’t March This Army Today
  • 14. You Wouldn’t March This Army in 2117
  • 15. Snapshot 1: 2002 vs 2017 Hackers
  • 16. Snapshot 2 : 1995 vs 2017 Hackers
  • 17. Computers are Awesome!  They don’t LET you do anything.  They DO anything!  And only things you tell them  CPU: AMMA that’s about Machine code to Microcode  Good luck with the rest! That’s not what I do!  General computation is good however it means:  No reliability, no availability, no security.  This includes anything we build.  Complexity leads to side effects and exploitation is programing with side effects.
  • 18. Memory Leak in /dev/litterbox?!
  • 19. We Are at an Odd Juncture  Mobile is eating all markets just like the PC did.  User habits are changing, again.  Web ate the rest of the world.  User data flows in new directions  And lingers in the eddies.  And for those of us left that still care about general computation we have to run unknown kernel and firmware exploits to program our phones.
  • 21. “Stop Putting Things on the Internet”  You might as well tell water to stop being wet.  It is free to put another computer on the Internet  Putting a Pentium Pro in anything is free  In 4 years putting an iPhone 1 in everything is free. Why?  Inverse of Moore’s law
  • 22. Moore’s Law # Transistors 2x18M 0 1E+09 2E+09 3E+09 4E+09 5E+09 6E+09 7E+09 8E+09 1971 1972 1974 1976 1979 1982 1985 1989 1991 1995 1997 1999 2000 2000 2004 2004 2005 2006 2008 2010 2014 2016 Transistors vs Year
  • 23. Inverse of Moore’s Law Every 18 months the cost of a transistor halves.
  • 24. Free Pentium Pro for Every Dishwasher $0.00 $200.00 $400.00 $600.00 $800.00 $1,000.00 $1,200.00 1995 1997 1998 2000 2001 2003 2004 2006 2007 2009 2010 2012 2013 2015 2016 2018 2019 2021 2022 Inverse of Moore's Law Putting a $1000 Pentium from 1995 in a dishwasher is free, today and every day in the future.
  • 25. Everything is an iPhone in the near future. $0 $100 $200 $300 $400 $500 $600 2007 2009 2010 2012 2013 2015 2016 2018 2019 2021 2022 iPhone Adding a 1st Gen iPhone worth of transistors to everything: $4 in 2018, free in 2022 Phrased another way adding Wifi, GSM, Bluetooth, GPU, CPU, storage, & sound to everything is free in 2022.
  • 26. The Internet Finally Showed Up!  The amount of air gap between our lives and the Internet is shrinking daily.  Soon it will be gone. Good Riddance! Plug me in!  Unless you have decided to live in a cave.  And in another tick tock there’s still a chance it will have IP enabled bat guano.  Technology is awesome!  In 5 years my self driving car will live stream.  Localized live traffic video broadcasting and viewing is going to be a thing.  There are going to be people sitting in traffic watching other people sit in traffic around the world.
  • 27. Live From the I5 Parking Lot…
  • 28. Be Still My Beating Heart  The Internet of Me is coming soon  I can’t wait until my heart has an IP address  And firmware updates  And an app store to monetize!  Cardio Trainer+ 4.0  Now with Twitter Integration!  Cardio Trainer+ 4.0.1  Pushed a patch as some users were excessively twitching while Tweeting.  Move fast and break things is not what I want for IP addressable organs.
  • 29. Everybody Bugs  Bugs happen.  They happen to the best.  They happen to the worst.  Imperfection is the proof of life and existence.  Mistakes are proof you actually did something.  Keep building a better future one mistake at a time
  • 30. How to Lose Normal People
  • 31. Start with Details  “The buffer can overflow causing a corruption of the pointer which in turn is referenced by the vtable to cause code to jump to a known location as a result of ASLR being not compiled into a supporting DLL”  “The password is P@ssw0rd!”  “User A can access the details of User B”
  • 32. CVE-2017 – Critical Bass Overflow
  • 33. How to Get Things Flowing
  • 34. Helping People Understand w/Impact  The user’s bank account can be drained.  One person cares.  The company can no longer perform transactions.  The entire company cares.  The car performs a J-turn at 60 mph during rush hour  1 news cycle.  The planes crashes  2 news cycles, 4 if they can’t find the plane.  The pacemaker stops and kills the user.  2 Federal Agencies + n pacemaker users care.  The power plant explodes.  People care until the lights come back on.
  • 35. In an Age of Infinite Scroll
  • 36. “Hacked a what? Oh, right.”
  • 37. Ken  Ken /ken/ noun  “one's range of knowledge or sight”  “know”  How far you see.  How wide or narrow are you focused.  How much you understand.  How far someone else can see, focus, and understand.
  • 38. Ken
  • 39. Ken : My Ken
  • 40. Ken : Your Ken
  • 41. Ken : Our Ken
  • 42. Ken  Their Ken: I need to move 14,000 planes a day with 300 people in them each or the global economy stops.  My Ken: Planes can move in ways you don’t intend if you connect them to the Internet, might even crash.  Their Ken: Customers don’t like to crash.  My Ken: Less planes move if they crash.  Our Ken: Lets make new planes that are easier to move and safer.
  • 43.
  • 44. Ken  Accepting WE > I  Knowing the range of my knowledge and vision enables me to spend our time better.  Knowing how to better understand the range of another’s vision helps us get to shared impact faster.  Then we can start sharing details.
  • 46. Test for Echo  You have lost if:  All you are hearing is your own words come back.  Things you already know.  Shared exchange of ken is shared extension.  In turn it is shared vulnerability.  Sustained echo is at best rapid construction of a chamber.  On a more than decade time scale it is slow death.
  • 47. Details: Our Three Wins  Firewalls  Encryption  Two Factor Authentication
  • 48. Impact: Three Extensions of Ken  Firewalls  I don’t want to run Ethernet cable in my house.  Wifi + Firewall = Win!  Encryption  I can’t make it to the bank or store today.  I need to work from home.  Commerce from home + encrypted tunnel = Win!  Two Factor Authentication  I don’t want to re-grind my character.  World of Warcraft = Win!
  • 49. Ken: When Have We Won?  We’ve won the same way everyone else has.  When we’ve made someone’s life better they adopted a technology.  It happened to be more secure because we spent years working on the details.  If we want to get pedantic we used Trojan horses to backdoor security into people’s lives.  Applying security to a shift in user behavior.  This is better!  We defined that part of being better was more secure!
  • 50. Ken: The users  Want to do the thing and will always want to do the thing.  Help the user keep doing the thing they want to do.
  • 51. So how do we keep up?  Details  Impact  Ken
  • 53. Bug: #1 Data as Code  What do Cross Site Scripting, SQL Injection, and Buffer Overflows all have in common?  They are all data being interpreted as code.  Any place that user or machine controlled data is being used, interpreted, parsed; a security issue awaits.  This is big enough to master that you can spend multiple lifetimes right here.  We’ve actually started to make steps towards fixing this problem in some places.
  • 54. Bug: #2 Gamers are Going to Game  Logical Issues require someone to game the system  Must try and understand all the unexpected behavior of the logic of the system.  Few good ways of automated testing here  The Meta Game  Attackers will continue to go for the weakest link  Hint: It’s in 1995  Unless the time vs. reward scenario is high  or the motivation vs. reward scenario is super high
  • 55. Bug: #3 The Secret Isn’t Secret  Password1!  Upper Lower, Numeric, Special!  Secure by most IT and Web policy!  “ Or ‘1’=‘1’; --  Upper, Lower, Numeric, Special!  No key words!  16 characters!  Secure!  If not bad word jumbles then bits generated by a machine given back to a machine!
  • 56. Bug:#4 The thing is in the wrong place  What is this?  Wait, why why is this here?  This shouldn’t be here!  OMG WHY IS THIS HERE  System, person, information in the wrong place.  Sensitive data management  Asset management  Physical Pen Tests  Etc
  • 57. To Master Impact  See the system as a graph of lists sorted by time.  Know what matters in the system.  Use the details to break the system.  When the system will not break change the game.
  • 59. Impact: Master The Graph  Seeing the system as a graph allows direct access to what is most impactful for the system.
  • 61. To Master Ken  Know yourself and share ideas and creations.  Ask to know and understand others.  Use impacts to connect yourself to others faster.  Seek the patterns that allow you to extend your vision and knowledge.  Use details to demonstrate impacts  Never start with details
  • 62. To Master Ken  In cooperation:  Use your ken to help others see what they cannot.  Ask to be shown what you cannot see.  In conflict:  Find the blind spots.  Where someone is blind they cannot defend.
  • 64. Ken: Test for Echo  Step out of the echo chamber from time to time.  Find people who have problems in different industries you’ll never have.  Listen to them.  See how much you can share, but more importantly see what comes back when you do.
  • 65. So How To Keep Up?  Understand what Snapshot you need to take (Ken) and how often you need to take it. (Impact) Then start to secure it by building tomorrow (Details).  Let the past go when you can.  Pull out the oldest versions when you can  Build a better tomorrow and ask people to help you convince others to adopt it.  Ask yourself do you want to keep clawing away from 1995 or start building a better 2020?
  • 66. Takeaways  Security is a snapshot in time  That snapshot is part ken, impact, and details.  Building a better tomorrow can build a more secure tomorrow.  Building a better tomorrow requires more than details and impact.  It requires understanding of your own ken to start.  I hope this talk has extended yours.