https://www.youtube.com/watch?v=bSSt6owsYlI I SURVIVED ROCK AND ROLL! Can You Survive Security Incident Escalation? I GREW up in the music business. Both of my parents were engineers and I got into building and breaking things by the age of 6. My father produced Peter, Paul & Mary, Bob Dylan slept on our couch and while Ella drank, Louis Armstrong taught me how to play the trumpet. We had our own recording studio at home where I worked after school for years. This is a really fun preso as it maps my first career over 30 years in the security biz and how it applies to Epic Fails with Security Incident Reporting & Escalation.

1. I Survived Rock’n’Roll
“A Primer in
Analogue Network Security”
How Stevie Wonder, Bob Marley, jimi hendrix & Liza Minnelli
prepared Me For Security
Winn Schwartau
www.TheSecurityAwarenessCompany.com

2. I Do Awareness:
I Used to Do Analogue Rock
Realizations for Security
We teach success not failure.
Digital is NOT Binary
Analogue Still Rules (Or Should)
You Can’t Fix It in the Mix (Music or People)
I know all about Feedback! Security Doesn’t.
Some Ways to Rethink Security
(Some you may think are odd…but they work!)
I Have Had to Respond to Some Incredible Incidents

3. My Mom. 1943.
NBC Mastering Engineer

4. My Dad. NBC. 1946.
Oscilloscope and Radar Dev. WWII

5. My First DefCon

6. Winn As Young TV Repairman

7. My Electronics Store

8. Vacuum
Tube
Computer
1950s

9. 1961

10. High School Computer

11. 1960 Fender Stratocaster

12. My First Sessions

13. My First Lathe

14. 1969-1970: Complex Systems

15. IMSAI 1972

16. My First Home Computers
(That Worked At All)

17. My Wife. AES Convention 1980.
First Computerized Audio

18. Automation

19. My Studio: 1980

20. EPIC FAILS:
My Incident Responses
Stevie Wonder
Liza Minnelli
Charlie Daniels
Studio R-1

21. Stevie Wonder & Bob Marley 1975
“Holiday Jamaica, Mon” (Free!)

22. Stevie Wonder Pt. I
USA Chaos: Lost 727

23. Stevie Wonder Pt. III
Whaddya Do?

24. Restoring Power

25. Stevie Wonder:
Security Take Aways
Fast Incident Response is Critical!
Cyber is Physical.
Power is GOD!
Have a Backup. DR Plan. Exercise it. Again.
Plan for double faults.
Think Confocal Infrastructural Vulnerability
When the IT hits the fan…ask for forgiveness, not permission.
Let the crazy guy try something crazy. What do you have to lose
when 100,000 people start to riot?

26. When the **IT Doesn’t Sync

27. Live!

28. Auto Sync (Right!)

29. Manual Sync

30. Liza Minneli:
Security Take Aways
Sync
Policy, AD, AS, Mobile, Backup, DR, etc.
Compliance, Policy, Testing?
Cross NWs
Time/Date-Event Stamps (time changes globally!)
Can U Go Manual Synchronization Mode?
Develop test & override
Develop skills
Have the manual tools in a kit
Test the process
Regularly

31. But only 8 Years Later…

32. More Sync Failures

33. Charlie Daniels:
32:1

34. Supposed to Be…

35. But Was Actually…

36. Charlie Daniels:
Security Take Aways
Architect for Graceful Degradation
A Graceful Backup is Better Than None
Rehearse Mission Critical Mode
For what you can
Mentally for those impossible situations
Develop “What Can Go Wrongggggggg List”
Risk/Cost Analysis
Train for Skills in live!
Exercise skills

37. The Reality of Remotes:
Take Aways
“You know, it’s always
something.”
Murphy has a tent city here.
One backup is not enough.
Always, always, have Plan-B
and Plan-C ready to go!
Overstaff.

38. Studio R-1:
Flop, Flop, Fizz, Fizz

39. Supposed to Be…

40. What We Had To Do…

41. Studio R-1
Security Take-Aways
Time is Money: In the studio or the network!
Reliable, tested, fixed systems can fail, too!
Disaster Recovery
Graceful Degradation Part 2
Have a backup… Always!
Get very creative when the IT hits the fan.

42. Other Lessons
Live From the
Lone Star Café
Hank Williams Jr.
Bill Haley and the Comets
MSG NYC
BT Express
NYC Blackout

43. SYSTEMS
Massive Complex Networks
Hard to Visualize in One Go
It’s a Way of Thinking
Some call it Strategic
Easier to Spot Potentials for Failure
Complexity Breeds Insecurity

44. Big Patch Bays

45. My First Studio (16 yrs. Old)

46. Complexity

47. Turn All The Knobs

48. Turn All The V-Knobs

49. Complexity Take-Aways
Breeds Problems
Trace, Find, Fix
Too many options!
Engineer for Robust Simplicity
Graceful Degradation
Wire Neatly
Document (And back them up, too!)

50. It’s All About Time
I told you we would get to feedback.

51. Time Based Security
Common Metric
Security
Privacy
Risk
(Music had its own metrics)
Tempo, Pitch, Blend, S/N, etc.

52. Defense in Depth
P>D+R
>
P(d1) >D(d1) + R(d1)
>
P(r1) >D(r1) + R(r1)

53. Feedback
Acoustic
Electrical
Mechanical

54. Adding TBS to Protection Process
Protection
Process
Reaction Channel
Start Clock
Stop Clock
If T > x, then R
Process Request
Process Approval
Process Stopped?

55. Time Based Take Aways
Time is the under-utilized security metric
Feedback is a Time-Function
f(t)
Incident Response is all about time
And saving money, image, etc.
We don’t use Feedback in security
Without feedback = Runaway Conditions
Resonance can be your friend… or your enemy

56. Digital Isn’t Binary
Think Analogue in Design and Problem Solving

57. Sine Waves: Analog

58. Square Waves

59. Averaging Quanta: Plank’s ‘d’

60. Continua

61. Got Asperger?

62. Digital Isn’t Binary Take Aways
Incident Response:
Calculate Risk with TBS
Measure Your NWs Incident Response Capability
Humans are Analog… not Digital
Parse by time division
Security isn’t always Yes/No?
Learn to Average/Curve
Approximation Anxiety?
Apply spectrums for behavior

63. Final Rant
Teach Failure
More Hands-On Engineering
Architect for Failure
Think Strategically
Learn Systems
Inter-Disciplinarianism
Practice Incident Response

64. Comments, Q & A?
Winn Schwartau
+1 727 393 6600
Founder, TheSecurityAwarenessCompany.Com
Winn@TheSecurityAwarenessCompany.Com

65. ADD
Failure!
Whole Section
Synesthesia

66. Applause!

68. DIY – 1960s

69. DIY – 2014:
More, more, more!