SlideShare a Scribd company logo

Mortman/Hutton Security B-Sides Presentation

Download as KEY, PDF
Alexander Hutton
Alexander Hutton

The presentation Mortman & Hutton gave at Security B-Sides in Las Vegas as well as our Black Hat presentation mixed in. More at http://www.newschoolsecurity.com

TechnologyBusiness
1 of 41
Challenging the Epistemological Anarchist to Escape our Dark Age The Shep Pettibone 12” Remix David Mortman Alex Hutton
Agreed: Data is good
Agreed?
• “Risk management inputs are estimates and the results are therefore questionable • Risk management attempts to predict the future; that is hard • Risk management is based on backward-looking statistics, which does not make sense in an environment where you’re up against a creative attacker These are the reasons I reject Risk Management.” - a well known Security RockStar
• Risk management inputs are estimates and the results are therefore questionable • All measurements are estimates. We’re just quibbling about the amount of uncertainty.
• Risk management inputs are estimates and the results are therefore questionable • All measurements are estimates. We’re just quibbling about the amount of uncertainty. • Risk management attempts to predict the future; that is hard • This simplifies information theory. Risk Management only describes certainty (Bayesian - “belief”) about a current state of nature in order to make decisions. • Are climate studies “science”? If so, then how is this different than the global warming “debate”?
• Risk management inputs are estimates and the results are therefore questionable • All measurements are estimates. We’re just quibbling about the amount of uncertainty. • Risk management attempts to predict the future; that is hard • This simplifies information theory. Risk Management only describes certainty (Bayesian - “belief”) about a current state of nature in order to make decisions. • Are climate studies “science”? If so, then how is this different than the global warming “debate”? • Risk management is based on backward-looking statistics, which does not make sense in an environment where you’re up against a creative attacker • This is just silly. It’s saying the past is non-informative
“These are the reasons I reject Risk Management.”
“These are the reasons I reject Risk Management.” Rejection in favor of what, exactly?
Epistemological Anarchy Rain Dances and Astrology are just as valid as Biology and Physics
Epistemological Anarchy The rejection of an ability to derive a State of Knowledge
Meet The Rev. Thomas Bayes and E.T. Jaynes
Bayesian Rationalism There is no certainty, but degrees of certainty that create a state of probable knowledge
The search for Truth aside, can we acquire a “body of knowledge”?
Kuhn’s Protoscience A stage in the development of a science that is described by: • somewhat random fact gathering (mainly of readily accessible data) • a “morass” of interesting, trivial, irrelevant observations • A variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering
What is required To develop a “body of knowledge”, a social science for security & risk management?
Loss Landscape Threat Landscape risk security / state of vulnerability Asset Landscape Controls Landscape
capability to manage Loss Landscape Threat Landscape risk management security / state of vulnerability Asset Landscape Controls Landscape
To develop a “body of knowledge”, a social science for security & risk management? Loss Landscape Economics, Behavioral Economics, Security, Management Science, Probability Theory Threat Landscape Behavioral Economics, Probability Theory risk Asset Landscape Management Science, Probability Theory Controls Landscape Management Science, Probability Theory, Control Theory
To develop a “body of knowledge”, a social science for security & risk management? Capability to Manage Decision Theory, Management Science, Probability Theory Loss Landscape Economics, Behavioral Economics, Security, Management Science, Probability Theory Threat Landscape Behavioral Economics, Probability Theory risk Asset Landscape Management Science, Probability Theory Controls Landscape Management Science, Probability Theory, Control Theory
What is required To develop a “body of knowledge”, a social science for security & risk management? - Information & Theories (Models) About the Risk Landscape - Data. At first applicable within context provided by those theories, but data tends to stand by itself for future theories
Models (Theories) Don’t have to be perfect, just ego-less
The Mortman/Hutton Model for Exploit Development/Use
A Vulnerability List Isn’t Enough
The Sexiest Vuln Isn’t The One You Should Be Worrying About.
Patch availability prior to breach < 1 month 0% 1-3 months 4% 3-6 months 6% 6-12 months 16% >1 year 74%
What About CVSS?
The Mortman/Hutton Model for Expectation of Exploit Use
example: Microsoft Security Advisory (972890)
The Mortman/Hutton Model Taxonomy
Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Expected Code Value of Dissemination Ability To Systems Market Compensate Penetration (inverse) Ease of Use Nature of Access Resources Information Discovering Expectation Individual Ability To Ability To Apply Expected Repair Controls Value of Expected Systems Volume Market (fractal) Return Computing Bandwidth Power = Actor performs Risk Assessment
Saturation of Vulnerable Technology Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Ability To Market Compensate Penetration (inverse) Ability To Ability To Repair Apply Controls = Actor performs Risk Assessment
Exploit Utility Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Expected Code Value of Dissemination Systems Ease of Use Nature of Access Resources Information Discovering Expectation Individual Expected Value of Expected Systems Volume Market (fractal) Return Computing Bandwidth Power = Actor performs Risk Assessment
Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Expected Code Value of Dissemination Ability To Systems Market Compensate Penetration (inverse) Ease of Use Nature of Access Resources Information Discovering Expectation Individual Ability To Ability To Apply Expected Repair Controls Value of Expected Systems Volume Market (fractal) Return Computing Bandwidth Power = Actor performs Risk Assessment
Model lives & will be maintained & information can be shared at: The New School of Information Security Website http://www.newschoolsecurity.com
Question & Answer

Recommended

Mva Avalon Presentation 10 08
Mva Avalon Presentation 10 08Mva Avalon Presentation 10 08
Mva Avalon Presentation 10 08Avalon Advisors, Inc.
 
Teorikaunseling 090910112241-phpapp01
Teorikaunseling 090910112241-phpapp01Teorikaunseling 090910112241-phpapp01
Teorikaunseling 090910112241-phpapp01onnel_91
 
Avalon Mva Presentation 10 08 For Linked In
Avalon Mva Presentation 10 08 For Linked InAvalon Mva Presentation 10 08 For Linked In
Avalon Mva Presentation 10 08 For Linked InAvalon Advisors, Inc.
 
Avalon Mva Presentation 10 08 For Linked In
Avalon Mva Presentation 10 08 For Linked InAvalon Mva Presentation 10 08 For Linked In
Avalon Mva Presentation 10 08 For Linked InAvalon Advisors, Inc.
 
2011 mini metricon
2011 mini metricon2011 mini metricon
2011 mini metriconAlexander Hutton
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
United Kingdom Personal Calendar Of Saints Summer 2008
United Kingdom Personal Calendar Of Saints Summer 2008United Kingdom Personal Calendar Of Saints Summer 2008
United Kingdom Personal Calendar Of Saints Summer 2008edwardogs
 
Eddlie stanis
Eddlie stanisEddlie stanis
Eddlie stanisonnel_91
 

Recommended

Mva Avalon Presentation 10 08
Mva Avalon Presentation 10 08Mva Avalon Presentation 10 08
Mva Avalon Presentation 10 08Avalon Advisors, Inc.
 
Teorikaunseling 090910112241-phpapp01
Teorikaunseling 090910112241-phpapp01Teorikaunseling 090910112241-phpapp01
Teorikaunseling 090910112241-phpapp01onnel_91
 
Avalon Mva Presentation 10 08 For Linked In
Avalon Mva Presentation 10 08 For Linked InAvalon Mva Presentation 10 08 For Linked In
Avalon Mva Presentation 10 08 For Linked InAvalon Advisors, Inc.
 
Avalon Mva Presentation 10 08 For Linked In
Avalon Mva Presentation 10 08 For Linked InAvalon Mva Presentation 10 08 For Linked In
Avalon Mva Presentation 10 08 For Linked InAvalon Advisors, Inc.
 
2011 mini metricon
2011 mini metricon2011 mini metricon
2011 mini metriconAlexander Hutton
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
United Kingdom Personal Calendar Of Saints Summer 2008
United Kingdom Personal Calendar Of Saints Summer 2008United Kingdom Personal Calendar Of Saints Summer 2008
United Kingdom Personal Calendar Of Saints Summer 2008edwardogs
 
Eddlie stanis
Eddlie stanisEddlie stanis
Eddlie stanisonnel_91
 
Love poem
Love poemLove poem
Love poemonnel_91
 
Market Validation Analysis
Market Validation AnalysisMarket Validation Analysis
Market Validation AnalysisAvalon Advisors, Inc.
 
Gene Haas Foundation: Charitable Donations
Gene Haas Foundation: Charitable DonationsGene Haas Foundation: Charitable Donations
Gene Haas Foundation: Charitable DonationsGene Haas Foundation
 
Terapi realiti
Terapi realitiTerapi realiti
Terapi realitionnel_91
 
Nota Kerohanian Bab Beriman Dengan Hari Kiamat.
Nota Kerohanian Bab Beriman Dengan Hari Kiamat.Nota Kerohanian Bab Beriman Dengan Hari Kiamat.
Nota Kerohanian Bab Beriman Dengan Hari Kiamat.dvvt
 
9. psikologi individual
9. psikologi individual9. psikologi individual
9. psikologi individualonnel_91
 
Temu duga
Temu dugaTemu duga
Temu dugaonnel_91
 
4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentationCFG
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 servicesCade Zvavanjanja
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides
 
Hutton B Side Sf
Hutton B Side SfHutton B Side Sf
Hutton B Side SfAlexander Hutton
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityAnup Narayanan
 
Reflections on Resilience and Communitation
Reflections on Resilience and CommunitationReflections on Resilience and Communitation
Reflections on Resilience and CommunitationProf. David E. Alexander (UCL)
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
4 a cognitive heuristic model of epidemics
4 a cognitive heuristic model of epidemics4 a cognitive heuristic model of epidemics
4 a cognitive heuristic model of epidemicsAle Cignetti
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Input: Mintzbergs »Strategy Safari«, Chapter 4
Input: Mintzbergs »Strategy Safari«, Chapter 4Input: Mintzbergs »Strategy Safari«, Chapter 4
Input: Mintzbergs »Strategy Safari«, Chapter 4SIBE
 
Rm
RmRm
Rmansulag19
 
Risk Management Lessons From The Current Crisis Ppt2003
Risk Management Lessons From The Current Crisis Ppt2003Risk Management Lessons From The Current Crisis Ppt2003
Risk Management Lessons From The Current Crisis Ppt2003Barry Schachter
 
7 summer solstice2012-a cognitive heuristic model of epidemics
7 summer solstice2012-a cognitive heuristic model of epidemics7 summer solstice2012-a cognitive heuristic model of epidemics
7 summer solstice2012-a cognitive heuristic model of epidemicsAle Cignetti
 

More Related Content

Viewers also liked

Gene Haas Foundation: Charitable Donations
Gene Haas Foundation: Charitable DonationsGene Haas Foundation: Charitable Donations
Gene Haas Foundation: Charitable DonationsGene Haas Foundation
 
Terapi realiti
Terapi realitiTerapi realiti
Terapi realitionnel_91
 
Nota Kerohanian Bab Beriman Dengan Hari Kiamat.
Nota Kerohanian Bab Beriman Dengan Hari Kiamat.Nota Kerohanian Bab Beriman Dengan Hari Kiamat.
Nota Kerohanian Bab Beriman Dengan Hari Kiamat.dvvt
 
9. psikologi individual
9. psikologi individual9. psikologi individual
9. psikologi individualonnel_91
 

Viewers also liked (7)

Love poem
Love poemLove poem
Love poem
 
Market Validation Analysis
Market Validation AnalysisMarket Validation Analysis
Market Validation Analysis
 
Gene Haas Foundation: Charitable Donations
Gene Haas Foundation: Charitable DonationsGene Haas Foundation: Charitable Donations
Gene Haas Foundation: Charitable Donations
 
Terapi realiti
Terapi realitiTerapi realiti
Terapi realiti
 
Nota Kerohanian Bab Beriman Dengan Hari Kiamat.
Nota Kerohanian Bab Beriman Dengan Hari Kiamat.Nota Kerohanian Bab Beriman Dengan Hari Kiamat.
Nota Kerohanian Bab Beriman Dengan Hari Kiamat.
 
9. psikologi individual
9. psikologi individual9. psikologi individual
9. psikologi individual
 
Temu duga
Temu dugaTemu duga
Temu duga
 

Similar to Mortman/Hutton Security B-Sides Presentation

4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentationCFG
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 servicesCade Zvavanjanja
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityAnup Narayanan
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
4 a cognitive heuristic model of epidemics
4 a cognitive heuristic model of epidemics4 a cognitive heuristic model of epidemics
4 a cognitive heuristic model of epidemicsAle Cignetti
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Input: Mintzbergs »Strategy Safari«, Chapter 4
Input: Mintzbergs »Strategy Safari«, Chapter 4Input: Mintzbergs »Strategy Safari«, Chapter 4
Input: Mintzbergs »Strategy Safari«, Chapter 4SIBE
 
Risk Management Lessons From The Current Crisis Ppt2003
Risk Management Lessons From The Current Crisis Ppt2003Risk Management Lessons From The Current Crisis Ppt2003
Risk Management Lessons From The Current Crisis Ppt2003Barry Schachter
 
7 summer solstice2012-a cognitive heuristic model of epidemics
7 summer solstice2012-a cognitive heuristic model of epidemics7 summer solstice2012-a cognitive heuristic model of epidemics
7 summer solstice2012-a cognitive heuristic model of epidemicsAle Cignetti
 
Smart Cities- A systems perspective on security risk identification: Methodo...
Smart Cities- A systems perspective on security risk identification: Methodo...Smart Cities- A systems perspective on security risk identification: Methodo...
Smart Cities- A systems perspective on security risk identification: Methodo...Smart Cities Project
 
A Paper Presentation On Artificial Intelligence And Global Risk Paper Present...
A Paper Presentation On Artificial Intelligence And Global Risk Paper Present...A Paper Presentation On Artificial Intelligence And Global Risk Paper Present...
A Paper Presentation On Artificial Intelligence And Global Risk Paper Present...guestac67362
 
Enterprise Risk Management Erm
Enterprise Risk Management ErmEnterprise Risk Management Erm
Enterprise Risk Management ErmNexus Aid
 
Scenario Planning Linking Scenarios to Strategy
Scenario Planning Linking Scenarios to StrategyScenario Planning Linking Scenarios to Strategy
Scenario Planning Linking Scenarios to StrategyAwais e Siraj
 

Similar to Mortman/Hutton Security B-Sides Presentation (20)

4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentation
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex Hutton
 
Hutton B Side Sf
Hutton B Side SfHutton B Side Sf
Hutton B Side Sf
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of Security
 
Reflections on Resilience and Communitation
Reflections on Resilience and CommunitationReflections on Resilience and Communitation
Reflections on Resilience and Communitation
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
4 a cognitive heuristic model of epidemics
4 a cognitive heuristic model of epidemics4 a cognitive heuristic model of epidemics
4 a cognitive heuristic model of epidemics
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human error
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
 
Input: Mintzbergs »Strategy Safari«, Chapter 4
Input: Mintzbergs »Strategy Safari«, Chapter 4Input: Mintzbergs »Strategy Safari«, Chapter 4
Input: Mintzbergs »Strategy Safari«, Chapter 4
 
Rm
RmRm
Rm
 
Risk Management Lessons From The Current Crisis Ppt2003
Risk Management Lessons From The Current Crisis Ppt2003Risk Management Lessons From The Current Crisis Ppt2003
Risk Management Lessons From The Current Crisis Ppt2003
 
7 summer solstice2012-a cognitive heuristic model of epidemics
7 summer solstice2012-a cognitive heuristic model of epidemics7 summer solstice2012-a cognitive heuristic model of epidemics
7 summer solstice2012-a cognitive heuristic model of epidemics
 
Smart Cities- A systems perspective on security risk identification: Methodo...
Smart Cities- A systems perspective on security risk identification: Methodo...Smart Cities- A systems perspective on security risk identification: Methodo...
Smart Cities- A systems perspective on security risk identification: Methodo...
 
A Paper Presentation On Artificial Intelligence And Global Risk Paper Present...
A Paper Presentation On Artificial Intelligence And Global Risk Paper Present...A Paper Presentation On Artificial Intelligence And Global Risk Paper Present...
A Paper Presentation On Artificial Intelligence And Global Risk Paper Present...
 
Enterprise Risk Management Erm
Enterprise Risk Management ErmEnterprise Risk Management Erm
Enterprise Risk Management Erm
 
Secure360 on Risk
Secure360 on RiskSecure360 on Risk
Secure360 on Risk
 
Scenario Planning Linking Scenarios to Strategy
Scenario Planning Linking Scenarios to StrategyScenario Planning Linking Scenarios to Strategy
Scenario Planning Linking Scenarios to Strategy
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Mortman/Hutton Security B-Sides Presentation

  • 1. Challenging the Epistemological Anarchist to Escape our Dark Age The Shep Pettibone 12” Remix David Mortman Alex Hutton
  • 4. “Risk management inputs are estimates and the results are therefore questionable • Risk management attempts to predict the future; that is hard • Risk management is based on backward-looking statistics, which does not make sense in an environment where you’re up against a creative attacker These are the reasons I reject Risk Management.” - a well known Security RockStar
  • 5.
  • 6. Risk management inputs are estimates and the results are therefore questionable • All measurements are estimates. We’re just quibbling about the amount of uncertainty.
  • 7. Risk management inputs are estimates and the results are therefore questionable • All measurements are estimates. We’re just quibbling about the amount of uncertainty. • Risk management attempts to predict the future; that is hard • This simplifies information theory. Risk Management only describes certainty (Bayesian - “belief”) about a current state of nature in order to make decisions. • Are climate studies “science”? If so, then how is this different than the global warming “debate”?
  • 8. Risk management inputs are estimates and the results are therefore questionable • All measurements are estimates. We’re just quibbling about the amount of uncertainty. • Risk management attempts to predict the future; that is hard • This simplifies information theory. Risk Management only describes certainty (Bayesian - “belief”) about a current state of nature in order to make decisions. • Are climate studies “science”? If so, then how is this different than the global warming “debate”? • Risk management is based on backward-looking statistics, which does not make sense in an environment where you’re up against a creative attacker • This is just silly. It’s saying the past is non-informative
  • 9.
  • 10. “These are the reasons I reject Risk Management.”
  • 11. “These are the reasons I reject Risk Management.” Rejection in favor of what, exactly?
  • 12. Epistemological Anarchy Rain Dances and Astrology are just as valid as Biology and Physics
  • 13. Epistemological Anarchy The rejection of an ability to derive a State of Knowledge
  • 14. Meet The Rev. Thomas Bayes and E.T. Jaynes
  • 15. Bayesian Rationalism There is no certainty, but degrees of certainty that create a state of probable knowledge
  • 16. The search for Truth aside, can we acquire a “body of knowledge”?
  • 17. Kuhn’s Protoscience A stage in the development of a science that is described by: • somewhat random fact gathering (mainly of readily accessible data) • a “morass” of interesting, trivial, irrelevant observations • A variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering
  • 18. What is required To develop a “body of knowledge”, a social science for security & risk management?
  • 19. Loss Landscape Threat Landscape risk security / state of vulnerability Asset Landscape Controls Landscape
  • 20. capability to manage Loss Landscape Threat Landscape risk management security / state of vulnerability Asset Landscape Controls Landscape
  • 21. To develop a “body of knowledge”, a social science for security & risk management? Loss Landscape Economics, Behavioral Economics, Security, Management Science, Probability Theory Threat Landscape Behavioral Economics, Probability Theory risk Asset Landscape Management Science, Probability Theory Controls Landscape Management Science, Probability Theory, Control Theory
  • 22. To develop a “body of knowledge”, a social science for security & risk management? Capability to Manage Decision Theory, Management Science, Probability Theory Loss Landscape Economics, Behavioral Economics, Security, Management Science, Probability Theory Threat Landscape Behavioral Economics, Probability Theory risk Asset Landscape Management Science, Probability Theory Controls Landscape Management Science, Probability Theory, Control Theory
  • 23. What is required To develop a “body of knowledge”, a social science for security & risk management? - Information & Theories (Models) About the Risk Landscape - Data. At first applicable within context provided by those theories, but data tends to stand by itself for future theories
  • 24. Models (Theories) Don’t have to be perfect, just ego-less
  • 25. The Mortman/Hutton Model for Exploit Development/Use
  • 26. A Vulnerability List Isn’t Enough
  • 27. The Sexiest Vuln Isn’t The One You Should Be Worrying About.
  • 28. Patch availability prior to breach < 1 month 0% 1-3 months 4% 3-6 months 6% 6-12 months 16% >1 year 74%
  • 29.
  • 31. The Mortman/Hutton Model for Expectation of Exploit Use
  • 32.
  • 34.
  • 36. Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Expected Code Value of Dissemination Ability To Systems Market Compensate Penetration (inverse) Ease of Use Nature of Access Resources Information Discovering Expectation Individual Ability To Ability To Apply Expected Repair Controls Value of Expected Systems Volume Market (fractal) Return Computing Bandwidth Power = Actor performs Risk Assessment
  • 37. Saturation of Vulnerable Technology Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Ability To Market Compensate Penetration (inverse) Ability To Ability To Repair Apply Controls = Actor performs Risk Assessment
  • 38. Exploit Utility Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Expected Code Value of Dissemination Systems Ease of Use Nature of Access Resources Information Discovering Expectation Individual Expected Value of Expected Systems Volume Market (fractal) Return Computing Bandwidth Power = Actor performs Risk Assessment
  • 39. Expectation of Development/ Use Saturation of Exploit Vulnerable Utility Technology Expected Code Value of Dissemination Ability To Systems Market Compensate Penetration (inverse) Ease of Use Nature of Access Resources Information Discovering Expectation Individual Ability To Ability To Apply Expected Repair Controls Value of Expected Systems Volume Market (fractal) Return Computing Bandwidth Power = Actor performs Risk Assessment
  • 40. Model lives & will be maintained & information can be shared at: The New School of Information Security Website http://www.newschoolsecurity.com