Spiritualists, magicians and security vendors
•Download as PPTX, PDF•
0 likes•402 views
After a journey through the history of spiritualists and homeopaths, and the magicians that debunk them, Chris reveals six tips for privacy officers to use when dealing with information security vendors and professionals.
Recommended
Recommended
More Related Content
Similar to Spiritualists, magicians and security vendors
Similar to Spiritualists, magicians and security vendors (20)
More from Chris Hammond-Thrasher
More from Chris Hammond-Thrasher (13)
Recently uploaded
Recently uploaded (20)
Spiritualists, magicians and security vendors
- 1. Spiritualists, Magicians and Security Vendors Gaining an Advantage in Security and Privacy ICE Conference 5 November 2012 – Edmonton Chris Hammond-Thrasher Associate Director, Consulting Security, Privacy and Compliance Fujitsu Canada chris.hammond-thrasher@ca.fujitsu.com 1
- 2. 2
- 3. 3
- 4. 4
- 5. 5
- 6. 6
- 7. 7
- 8. 8
- 9. 9
- 10. 10
- 11. 11
- 12. Active ingredient: Anas Barbariae Hepatis et Cordis extractum 200C 12
- 13. 14
- 14. 15
- 15. 16
- 16. Worm.Win32.Flame Hits in 1 Week – March 2012 17
- 17. 18
- 18. 19
- 19. Six Steps to Computer Security For IT Professionals “How To Not Fall for the Hype” 20
- 20. #1 Why Is There No P in SDLC? Recently it has become popular to plan to address security requirements through all phases of the IT system lifecycle – from planning to operationalization. This is commonly referred to as the “Secure Development Lifecycle” or SDLC. However, privacy requirements are not the same as information security requirements. What if privacy needs were also considered in all phases? 21
- 21. #2 Threat / Countermeasure Threat modeling is a staple item in security engineering. Put briefly, threat modeling entails describing all of the threats that you plan to defend against (the threat model), followed by planning a suite of countermeasures to manage all of the identified threats. For privacy professionals, the problem is that the threat models created by security professionals often miss significant privacy threats. It can be valuable to create a privacy threat model. 22
- 22. OWASP Risk Model 23
- 23. Threat Attack Security Security Technical Business Agents Vectors Weaknesses Controls Impacts Impacts Fraud detectio Cannot Custome n Funds r$ Fraudulen detect Messag transferre t message fraud d messages e logging End- Insider point validatio Enterprise n service disruption Messag Cannot Network detect zones ESB e forged DoS forgery messages Messag e Reputation signatur al capital Crimina es l Data Loss Preventio APT n Messag Plaintext Personal e messag Info es disclosed Privacy sniffing Message complianc encryption e breach 24
- 24. #3 And You Log That, Right? Security and system administrators need to understand event logging requirements from both a security and privacy perspective. They need to know exactly which data elements need to be logged and the length of time that these logs need to be retained. Privacy logging requirements alone can make the difference in selecting one solution over another. Do not wait until it is too late to understand the business’ logging needs. 25
- 25. #4 Show Me! If you are serious about protecting privacy, you cannot take a security vendor’s word that something works the way it is supposed to. You cannot even go by the word of your organization’s own security and system administrators – you must test and you must audit. And testing and auditing should not be limited to prevention – do not wait for an incident to occur before you find out that you do not have the information required to support the investigation. 26
- 26. #5 Plan for Failure The cornerstone of safety engineering is planning for systems to fail. Security and privacy professionals can influence system design and configuration so that when breaches inevitably occur, the resulting damage can be minimized. Model, test and audit defensive failures. Design detective controls that facilitate the detection of security failures. 27
- 27. #6 You Can’t Break It, I Can’t Break It, but What About the Guy in the Fedora? Of course, most privacy professionals are not skilled hackers. Did you know that neither are most security professionals? Both your vendors and your security team will tell you that everything is setup securely and that they have run their scanning tools and have not found any weaknesses. However, you really do not know if the information in your charge is safe until you hire external security auditors. This can be an intimidating prospect, but it is the only way to be sure. 28
- 28. Chris Hammond-Thrasher chris.hammond-thrasher@ca.fujitsu.com Associate Director, Consulting @thrashor Security, Privacy and Compliance Fujitsu Canada
Editor's Notes
- beguilement, betrayal, blarney, boondoggle, charlatanism, cheat, chicanery, circumvention, cozenage, craftiness, cunning, deceit, deceitfulness, deception, defraudation, disinformation, dissimulation, double-dealing, dupery, duplicity, equivocation, falsehood, fast one, flimflam, fraud, fraudulence, guile, hokum, hypocrisy, imposition, insincerity, juggling, legerdemain, lying, mendacity, pretense, prevarication, quackery, snow job, sophism, treachery, treason, trickery, trickiness, trumpery, untruth
- Photo source: http://www.lhup.edu/~dsimanek/doyle.htmThe Fox sisters were famous mediums in the 1950s.
- Photo source: WikipediaThe Fox sisters. Margaret Fox, The New York World, Oct. 21, 1888: Spiritualism is a fraud and a deception. It is a branch of legerdemain, but it has to be closely studied to gain perfection.
- Photo source: WikipediaPhoto date: 1914Sir Arthur Conan Doyle: Nothing that she could say in that regard would in the least change my opinion, nor would it that of any one else who had become profoundly convinced that there is an occult influence connecting us with an invisible world.
- Photo source: http://www.lhup.edu/~dsimanek/doyle.htmFrances Griffiths (age 10). Taken in 1917 by her cousin Elsie Wright (age 16).
- Photo source: Wikipedia 1870. With ropes in front of the spirit cabinet.
- Photo source: WikipediaJean Eugene Robert-Houdin,1850-1870Magician as debunker
- Photo source: http://www.houdinitribute.com/houdinimore.htmlIra Davenport and Harry Houdini, Mayville, New York, 1910. In 1924 Houdini published A Magician Among the Spirits which railed against spiritualists and their frauds. However, he excluded the Davenports.Blurring the line between magician and fraudster
- Source: http://www.channel4.com/programmes/derren-brown-investigatesAired in 2010.Debunking mediums, psychic self-improvement frauds, and haunting frauds.
- Image source: informationisbeautiful.netDavid McCandless 2010 Journalist as debunker.
- See: http://www.oscillo.com/Consumers, lawyers and scientists as debunkers.List price US$18.09 on vitaminshoppe.comwww.topclassactions.com: "probability of getting 1 molecule of the active ingredient of Oscillo in a regular dosage is approximately equal to winning the Powerball every week for nearly an entire year. Simply stated, there is no trace of the purported active ingredient in Oscillo. Oscillo is nothing more than sugar (85% sucrose and 15% lactose)."www.skepticnorth.com: The heart of the case is the claim that Oscillococcinum (“Oscillo”) does not in fact contain the active ingredient Boiron lists on its packaging. The packaging for Oscillo lists the active ingredient as “AnasBarbariaeHepatis et Cordisextractum 200C”. Put into plain English, this describes a dilution of an initial extract of the heart and liver of the Barbary (or Muscovy) duck. Set aside for the moment the fact that there is no evidence whatsoever that Barbary duck organs have any effect on influenza, and focus on the dilution. Even by homeopathic standards, the level of dilution in Oscillo is extreme: “200C” indicates a serial dilution of one part in 100, repeated 200 times. That is, the final product represents a theoretical dilution level of one part in 10^400. Given that the entire observable universe only contains an estimated 10^80 atoms, it is clear that almost all of these dilutions involve simply diluting water with water – there is no trace of duck heart or liver left after the first dozen or so dilutions. So the claimed active ingredient in Oscillo is neither “active” nor an “ingredient”. Rather, since each 1g pill contains 0.85g sucrose and 0.15g lactose, Oscillo is in fact 100% sugar.
- Image source: WikipediaJames Randi’s Million Dollar challenge began in 1964 when he posted $1000 of his own money for proof of paranormal power.360 have applied formally between 1997 and 15 Feb 2005. No one has made it past the preliminary experimental round.Randi also extends his prize to proof that homeopathy works – a practice that he sees as a form of sympathetic magic.
- Antivirus rhetoric - Built from the combined text of the marketing pages for the top seven consumer-grade antivirus products on the market as of 30 April 2012.
- On 28 May 2012, Kaspersky Lab announced the discovery and dissection of a package of malware they named “Flame”They then stirred up as much FUD as possible in order to maximize sales of their end point protection product.But here are a few problems:It had been in the wild – primarily targeting systems in Iran – for between two and four yearsIt is at least 20 Mb in size and no antivirus company had yet detected itKaspersky is a Russian firm – why didn’t Americans find it?It used a fake certificate to install itself – error free – via Windows updateAs soon as it was announced, all Flame command and control centres when deadIt was engineered by US and Israeli intelligence and has code in common with Stuxnet
- Flame seems to have targeted countries in the Middle East and North Aftrica, but it was definitely “in the wild” and not detected by anyone.Still, with this evidence and a large number of security professionals who have written of the relative ineffectiveness of antiviruss, people continue to over trust antivirus. Where is the magician who can set the record straight?
- Dave Kennedy, aka ReL1k
- Hackers as magicians:Using SET version 4.x to hide malicious code from antivirus. Total cost: free.
- CIA vs. Collection, Use and DisclosureNo system in Canada is free from significant privacy compliance requirements: In Alberta we have PIPA, FOIPP, HIA and a few others for special cases.Case of a multimillion dollar system purchase in Alberta which did not comply with privacy regulations. A second multimillion dollar purchase was required to make the system compliant.
- This a fundamental differentiator between organizations that merely seek to comply and organizations that seek to manage their risk and the risk to their customers’ information
- Many organizations have a fixation with preventative controls. This is a symptom of the misconception, fed by vendors of preventative controls, that it is possible to avoid compromise. The most flexible and best detective or mitigating control is security logging.Case of one Alberta client where effort had been made to configure Windows event logs to support forensic investigations. When a serious incident occurred, they discovered that the logs they needed to investigate were not available as large volumes of security events were causing the logs to roll over within hours.
- Serious incidents are inevitable. Do not wait for your customers to inform you of an incident. Consider what you will need to do when an incident is detected – Disable accounts? Blacklist IP addresses? Shut the system down and restore to a clean copy?
- Photo source: http://www.theinquirer.net/inquirer/news/1020852/kisses-renderman-brave-inq-snapperazziHackers as debunkers.Open source security – pre-hacked tools.NSA cryptography contest.