SlideShare a Scribd company logo
I AM THE CAVALRY
http://iamthecavalry.org
@iamthecavalry
SHOULDN’T YOU BE ALSO?
CLAUS CRAMON HOUMANN
Infosec Community Manager @ Peerlyst
(A start-up Infosec community/Social platform that wants to turn the
tables on cyber security)
Infosec Consultant
The Analogies contributor
Twitter: @claushoumann
IDEA
“Our dependence on technology
is growing faster than our ability
to secure it”
IDEA
“Our society has evolved
faster than our laws”
IDEA
But why wait.......
ALL SYSTEMS FAIL*
* Yes; all
WHERE DO WE SEE CONNECTIVITY NOW?
In Our Bodies In Our Homes
In Our InfrastructureIn Our Cars
HEARTBLEED + (UNPATCHABLE) INTERNET OF
THINGS == ___ ?
In Our Bodies In Our Homes
In Our InfrastructureIn Our Cars
SAY BABY MONITORS AGAIN?
In Our Homes
Source: Rapid7 research/Mark Stanislav: Baby monitors
https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-
THEN
BUT ALSO
IT’S SAFETY
NOT JUST SECURITY
Ouch!
Cars have computers
Computers have security issues
Security issues in cars are safety issues
Safety issues can cost or imperil lives
www.iamthecavalry.org
@iamthecavalry
Past versus Future
Bolt-On Vs Built-In
SOMEONE WILL FIX IT
FOR US
Chapter 2
OR NOT……..
Chapter 3
Let’s create ripples
A DO-OCRACY OF
DO’ERS.
W H ER E D OIN G STARTS W ITH
EMPATHY
And by ripples I mean
The Point?
NEVER DOUBT THAT A SMALL GROUP
OF THOUGHTFUL, COMMITTED
CITIZENS CAN CHANGE THE WORLD;
IT’S THE ONLY THING
THAT EVER HAS.
- MAR GAR ET MEAD
( A N A M E R I C A N C U LT U R A L A N T H R O P O L O G I S T )
•The
The Cavalry isn’t coming… It falls to us
Problem Statement
Our society is adopting connected
technology faster than we are able to
secure it.
Mission Statement
To ensure connected technologies with
the potential to impact public safety
and human life are worthy of our trust.
Collecting existing research, researchers, and resources
Connecting researchers with each other, industry, media, policy, and legal
Collaborating across a broad range of backgrounds, interests, and skillsets
Catalyzing positive action sooner than it would have happened on its own
Why Trust, public safety, human life
How Education, outreach, research
Who Infosec research community
Who Global, grass roots initiative
WhatLong-term vision for cyber safety
Medical Automotive
Connected
Home
Public
Infrastructure
I Am The Cavalry
Connections and Ongoing Collaborations
5-Star Framework
5-Star Capabilities
 Safety by Design – Anticipate failure and plan mitigation
 Third-Party Collaboration – Engage willing allies
 Evidence Capture – Observe and learn from failure
 Security Updates – Respond quickly to issues discovered
 Segmentation & Isolation – Prevent cascading failure
Addressing Automotive Cyber Systems
Automotive
Engineers
Security
Researchers
Policy
Makers
Insurance
Analysts
Accident
Investigators
Standards
Organizations
https://www.iamthecavalry.org/auto/5star/
www.iamthecavalry.org
@iamthecavalry
5-Star Cyber Safety
Formal Capacities
1. Safety By Design
2. Third Party Collaboration
3. Evidence Capture
4. Security Updates
5. Segmentation and Isolation
Plain Speak
1. Avoid Failure
2. Engage Allies To Avoid
Failure
3. Learn From Failure
4. Respond to Failure
5. Isolate Failure
5 STARS
5 star ICS
5 star IoT
5 star medical devices
www.iamthecavalry.org
@iamthecavalry
And!
• Dräger on board with I am the Cavalry as first
medical device producer working directly in
sync with us
• Their Product Security Manager is even
directly involved now
AND MORE IN OTHER AREAS
COMING
We try to connect researchers to
1. Lawmakers to inform of meaningful changes to laws to enforce
secure by default
2. Vendors/producers to inform of secure ways to build securely by
design and of identified vulnerabilities
3. Purchasers of devices (example: Pacemakers, car distributors) to
explain to them why they need to contractually demand security – if
there is demand vendors will supply
AND YES I DID SAY LAWMAKERS
It is WEIRD for you to have to listen to. I
agree, but
WHAT YOU CAN DO
Chapter 5
CONNECTIONS/CONNECTORS
WANTED
Breakers and Builders
Legal and Policy
Citizens, Connectors
Parents/Guardians
Community Leaders/Bloggers/Podcasters/etc.
MOUNT UP AND BE THE
CAVALRY
YOU DON’T ACTUALY
NEED A HORSE
SAFER.
SOONER.
TOGETHER
http://iamthecavalry.org
@iamthecavalry
-> OWASK SKF
-> OWASP SECURITY SHEPHERD
-> OWASP ZAP
Recommendations:
Use SDLC

More Related Content

What's hot

9 Alarming developments in the fight for digital privacy
9 Alarming developments in the fight for digital privacy9 Alarming developments in the fight for digital privacy
9 Alarming developments in the fight for digital privacy
Entefy
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1
William Kiss
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Enterprise Management Associates
 
Five Mistakes of Incident Response
Five Mistakes of Incident ResponseFive Mistakes of Incident Response
Five Mistakes of Incident Response
Anton Chuvakin
 
Stki summit2013 infra_pini sigaltechnologies_v5 final
Stki summit2013 infra_pini sigaltechnologies_v5 finalStki summit2013 infra_pini sigaltechnologies_v5 final
Stki summit2013 infra_pini sigaltechnologies_v5 final
Ariel Evans
 
Protecting your Data in Google Apps
Protecting your Data in Google AppsProtecting your Data in Google Apps
Protecting your Data in Google Apps
Elastica Inc.
 
Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation Slides
SlideTeam
 
How to Improve Your Board’s Cyber Security Literacy
How to Improve Your Board’s Cyber Security LiteracyHow to Improve Your Board’s Cyber Security Literacy
How to Improve Your Board’s Cyber Security Literacy
Tripwire
 
100903 e assessment (dundee)
100903 e assessment (dundee)100903 e assessment (dundee)
100903 e assessment (dundee)
JISC Legal
 
Wiretap 5-collaboration-security-risks-revealed
Wiretap 5-collaboration-security-risks-revealedWiretap 5-collaboration-security-risks-revealed
Wiretap 5-collaboration-security-risks-revealed
Britt Newton
 
Maleeff university of toronto 11 july 2019
Maleeff university of toronto 11 july 2019Maleeff university of toronto 11 july 2019
Maleeff university of toronto 11 july 2019
Stephen Abram
 
Social Media Policy
Social Media PolicySocial Media Policy
Social Media Policy
Elizabeth Engel
 
Autisable com-2020-05-13-cybersecurity-matters-
Autisable com-2020-05-13-cybersecurity-matters-Autisable com-2020-05-13-cybersecurity-matters-
Autisable com-2020-05-13-cybersecurity-matters-
Saad Ahmad
 
Business continuity in the lean times
Business continuity in the lean timesBusiness continuity in the lean times
Business continuity in the lean times
Steven Aiello
 
How secure is your company's information?
How secure is your company's information?How secure is your company's information?
How secure is your company's information?
eLeaP
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
Paul McGillicuddy
 
Managing insider threat
Managing insider threatManaging insider threat
Managing insider threat
milliemill
 
Review Paper ( Research Articles )
Review Paper ( Research Articles )Review Paper ( Research Articles )
Review Paper ( Research Articles )
SaadSaif6
 
Philippines ‘lagging behind’ on cloud adoption
Philippines ‘lagging behind’ on cloud adoptionPhilippines ‘lagging behind’ on cloud adoption
Philippines ‘lagging behind’ on cloud adoption
John Davis
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
IBM Security
 

What's hot (20)

9 Alarming developments in the fight for digital privacy
9 Alarming developments in the fight for digital privacy9 Alarming developments in the fight for digital privacy
9 Alarming developments in the fight for digital privacy
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...
 
Five Mistakes of Incident Response
Five Mistakes of Incident ResponseFive Mistakes of Incident Response
Five Mistakes of Incident Response
 
Stki summit2013 infra_pini sigaltechnologies_v5 final
Stki summit2013 infra_pini sigaltechnologies_v5 finalStki summit2013 infra_pini sigaltechnologies_v5 final
Stki summit2013 infra_pini sigaltechnologies_v5 final
 
Protecting your Data in Google Apps
Protecting your Data in Google AppsProtecting your Data in Google Apps
Protecting your Data in Google Apps
 
Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation Slides
 
How to Improve Your Board’s Cyber Security Literacy
How to Improve Your Board’s Cyber Security LiteracyHow to Improve Your Board’s Cyber Security Literacy
How to Improve Your Board’s Cyber Security Literacy
 
100903 e assessment (dundee)
100903 e assessment (dundee)100903 e assessment (dundee)
100903 e assessment (dundee)
 
Wiretap 5-collaboration-security-risks-revealed
Wiretap 5-collaboration-security-risks-revealedWiretap 5-collaboration-security-risks-revealed
Wiretap 5-collaboration-security-risks-revealed
 
Maleeff university of toronto 11 july 2019
Maleeff university of toronto 11 july 2019Maleeff university of toronto 11 july 2019
Maleeff university of toronto 11 july 2019
 
Social Media Policy
Social Media PolicySocial Media Policy
Social Media Policy
 
Autisable com-2020-05-13-cybersecurity-matters-
Autisable com-2020-05-13-cybersecurity-matters-Autisable com-2020-05-13-cybersecurity-matters-
Autisable com-2020-05-13-cybersecurity-matters-
 
Business continuity in the lean times
Business continuity in the lean timesBusiness continuity in the lean times
Business continuity in the lean times
 
How secure is your company's information?
How secure is your company's information?How secure is your company's information?
How secure is your company's information?
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 
Managing insider threat
Managing insider threatManaging insider threat
Managing insider threat
 
Review Paper ( Research Articles )
Review Paper ( Research Articles )Review Paper ( Research Articles )
Review Paper ( Research Articles )
 
Philippines ‘lagging behind’ on cloud adoption
Philippines ‘lagging behind’ on cloud adoptionPhilippines ‘lagging behind’ on cloud adoption
Philippines ‘lagging behind’ on cloud adoption
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
 

Viewers also liked

[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling
OWASP EEE
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
OWASP EEE
 
Dia da Música
Dia da MúsicaDia da Música
Dia da Música
Paulo Antunes
 
[Austria] Security by Design
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
OWASP EEE
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
OWASP EEE
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
OWASP EEE
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
OWASP EEE
 
[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
OWASP EEE
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
OWASP EEE
 
[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks
OWASP EEE
 
RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15
Mahfuzur Rahman
 
[Russia] MySQL OOB injections
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injections
OWASP EEE
 

Viewers also liked (12)

[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
 
Dia da Música
Dia da MúsicaDia da Música
Dia da Música
 
[Austria] Security by Design
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
 
[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks
 
RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15
 
[Russia] MySQL OOB injections
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injections
 

Similar to [Lithuania] I am the cavalry

I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
Claus Cramon Houmann
 
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us  i tdays-luxembourg 2014.11.20 v1.0The cavalry is us  i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
Claus Cramon Houmann
 
Netflix SIRT - Culture and Tech -Trainman
Netflix SIRT - Culture and Tech -TrainmanNetflix SIRT - Culture and Tech -Trainman
Netflix SIRT - Culture and Tech -Trainman
Alex Maestretti
 
Unpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted deviceUnpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted device
Marie Elisabeth Gaup Moe
 
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
Neil Curran MSc CISSP CRISC CGEIT CISM CISA
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
woodruffeloisa
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
Devendra kashyap
 
Cognitive Computing in Security with AI
Cognitive Computing in Security with AI Cognitive Computing in Security with AI
Cognitive Computing in Security with AI
JoAnna Cheshire
 
IT security
IT securityIT security
IT security
Steven Aiello
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)
Michele Chubirka
 
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats:  The Advancement of Science of CybersecurityThe Rising Tide Raises All Boats:  The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
laurieannwilliams
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
Envision Technology Advisors
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
Sean Whalen
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
Ernest Staats
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Dana Gardner
 
Threat intelligence minority report
Threat intelligence minority reportThreat intelligence minority report
Threat intelligence minority report
Eliahu (Eli) Assif (Amar)
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
London School of Cyber Security
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of security
Southern Cross Group Services
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Dinesh O Bareja
 

Similar to [Lithuania] I am the cavalry (20)

I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
 
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us  i tdays-luxembourg 2014.11.20 v1.0The cavalry is us  i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
 
Netflix SIRT - Culture and Tech -Trainman
Netflix SIRT - Culture and Tech -TrainmanNetflix SIRT - Culture and Tech -Trainman
Netflix SIRT - Culture and Tech -Trainman
 
Unpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted deviceUnpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted device
 
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
 
Cognitive Computing in Security with AI
Cognitive Computing in Security with AI Cognitive Computing in Security with AI
Cognitive Computing in Security with AI
 
IT security
IT securityIT security
IT security
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)
 
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats:  The Advancement of Science of CybersecurityThe Rising Tide Raises All Boats:  The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
 
Threat intelligence minority report
Threat intelligence minority reportThreat intelligence minority report
Threat intelligence minority report
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of security
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
 

More from OWASP EEE

[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
OWASP EEE
 
[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
OWASP EEE
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
OWASP EEE
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE
 
[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
OWASP EEE
 
[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
OWASP EEE
 
[Russia] Bugs -> max, time <= T
[Russia] Bugs -> max, time <= T[Russia] Bugs -> max, time <= T
[Russia] Bugs -> max, time <= T
OWASP EEE
 
[Russia] Building better product security
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
OWASP EEE
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
OWASP EEE
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
OWASP EEE
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
OWASP EEE
 
[Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
OWASP EEE
 
[Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!
OWASP EEE
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
OWASP EEE
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
OWASP EEE
 
[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox
OWASP EEE
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
OWASP EEE
 

More from OWASP EEE (17)

[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
 
[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
 
[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
 
[Russia] Bugs -> max, time <= T
[Russia] Bugs -> max, time <= T[Russia] Bugs -> max, time <= T
[Russia] Bugs -> max, time <= T
 
[Russia] Building better product security
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
 
[Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
 
[Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
 
[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 

Recently uploaded

Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 

Recently uploaded (12)

Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 

[Lithuania] I am the cavalry

  • 1. I AM THE CAVALRY http://iamthecavalry.org @iamthecavalry SHOULDN’T YOU BE ALSO?
  • 2. CLAUS CRAMON HOUMANN Infosec Community Manager @ Peerlyst (A start-up Infosec community/Social platform that wants to turn the tables on cyber security) Infosec Consultant The Analogies contributor Twitter: @claushoumann
  • 3. IDEA “Our dependence on technology is growing faster than our ability to secure it”
  • 4. IDEA “Our society has evolved faster than our laws”
  • 7. WHERE DO WE SEE CONNECTIVITY NOW? In Our Bodies In Our Homes In Our InfrastructureIn Our Cars
  • 8. HEARTBLEED + (UNPATCHABLE) INTERNET OF THINGS == ___ ? In Our Bodies In Our Homes In Our InfrastructureIn Our Cars
  • 9. SAY BABY MONITORS AGAIN? In Our Homes Source: Rapid7 research/Mark Stanislav: Baby monitors https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-
  • 10. THEN
  • 12. IT’S SAFETY NOT JUST SECURITY Ouch!
  • 13. Cars have computers Computers have security issues Security issues in cars are safety issues Safety issues can cost or imperil lives
  • 15. SOMEONE WILL FIX IT FOR US Chapter 2
  • 16.
  • 19. A DO-OCRACY OF DO’ERS. W H ER E D OIN G STARTS W ITH EMPATHY And by ripples I mean
  • 20.
  • 21.
  • 22.
  • 24. NEVER DOUBT THAT A SMALL GROUP OF THOUGHTFUL, COMMITTED CITIZENS CAN CHANGE THE WORLD; IT’S THE ONLY THING THAT EVER HAS. - MAR GAR ET MEAD ( A N A M E R I C A N C U LT U R A L A N T H R O P O L O G I S T )
  • 25. •The The Cavalry isn’t coming… It falls to us Problem Statement Our society is adopting connected technology faster than we are able to secure it. Mission Statement To ensure connected technologies with the potential to impact public safety and human life are worthy of our trust. Collecting existing research, researchers, and resources Connecting researchers with each other, industry, media, policy, and legal Collaborating across a broad range of backgrounds, interests, and skillsets Catalyzing positive action sooner than it would have happened on its own Why Trust, public safety, human life How Education, outreach, research Who Infosec research community Who Global, grass roots initiative WhatLong-term vision for cyber safety Medical Automotive Connected Home Public Infrastructure I Am The Cavalry
  • 26. Connections and Ongoing Collaborations 5-Star Framework 5-Star Capabilities  Safety by Design – Anticipate failure and plan mitigation  Third-Party Collaboration – Engage willing allies  Evidence Capture – Observe and learn from failure  Security Updates – Respond quickly to issues discovered  Segmentation & Isolation – Prevent cascading failure Addressing Automotive Cyber Systems Automotive Engineers Security Researchers Policy Makers Insurance Analysts Accident Investigators Standards Organizations https://www.iamthecavalry.org/auto/5star/
  • 27. www.iamthecavalry.org @iamthecavalry 5-Star Cyber Safety Formal Capacities 1. Safety By Design 2. Third Party Collaboration 3. Evidence Capture 4. Security Updates 5. Segmentation and Isolation Plain Speak 1. Avoid Failure 2. Engage Allies To Avoid Failure 3. Learn From Failure 4. Respond to Failure 5. Isolate Failure
  • 28. 5 STARS 5 star ICS 5 star IoT 5 star medical devices
  • 29. www.iamthecavalry.org @iamthecavalry And! • Dräger on board with I am the Cavalry as first medical device producer working directly in sync with us • Their Product Security Manager is even directly involved now
  • 30. AND MORE IN OTHER AREAS COMING We try to connect researchers to 1. Lawmakers to inform of meaningful changes to laws to enforce secure by default 2. Vendors/producers to inform of secure ways to build securely by design and of identified vulnerabilities 3. Purchasers of devices (example: Pacemakers, car distributors) to explain to them why they need to contractually demand security – if there is demand vendors will supply
  • 31. AND YES I DID SAY LAWMAKERS It is WEIRD for you to have to listen to. I agree, but
  • 32. WHAT YOU CAN DO Chapter 5
  • 33. CONNECTIONS/CONNECTORS WANTED Breakers and Builders Legal and Policy Citizens, Connectors Parents/Guardians Community Leaders/Bloggers/Podcasters/etc.
  • 34. MOUNT UP AND BE THE CAVALRY YOU DON’T ACTUALY NEED A HORSE
  • 36. -> OWASK SKF -> OWASP SECURITY SHEPHERD -> OWASP ZAP Recommendations: Use SDLC