HitB2010Ams - Ten Crazy Ideas That Might Actually Change the State of Information SecurityFrank Breedijk
Mark starts of by giving a very funny overview of his very impressive career. He currently has a non-security security job at Microsoft running the MSDN subscription services department. Being away from security has given him room to think about information security more.
His talk is about 10 crazy ideas that might change the state of information security. These ideas all cost little money, but may have a big impact.
#1 – Adopt Chinese Medicine Business ModelIn China the doctor gets paid to keep you healthy, not to cure you. There are currently actually two companies that are experimenting with this business model.
#2 – Stop Human Pattern MatchingHumans seen things they expect so see. The brain is wired to see what it is expecting to see. This is why optical illusions work, which was demonstrated to the audience with two illusions. Security people do his all the time. I have XSS, this is going to happen, this vulnerability will cause this worm.
#3 – Community Driven Statistical modellingAn example of this is http://freerisk.org. It allows people to input and consume financial modelling data. In the security world there is no data that will give us some predictable model of how security behaves. Wine quality can actually be captured in a formula: Wine Quality = 12.145 + 0.00117 * winter rainfall + 0.0614 average growing season – 0.00386 harverst rainfall. Where is the equivalent of security? Rubbish you say? Well, the formula for wine quality is actually used in the field now
#4 – Teach Kids Computer SecurityComputer Science students do often not know about IT security. It should be a core value of learning IT.
#5 – Make Developing Countries Centers for Security ExcellenceIT security hotspots are where engineering is considered a good job.
#6 – Make hacking a competitive sportIf hacking is a competitive sport, nations might actually get good at it and it might just increase funding for IT security
#7 – Connected Information Security FrameworkIT security tools do not talk to each other. You may want to get different part of IT security puzzle form different sources, but integrating the reports is very hard.
#8 – Embrace Design Driven SecurityWe must reward the builders AND the breakers. Not just the people who break IT Security.
#9 – Crowd Source Access ControlResetting you banking password generally happens in a call center (probably in India). It is very crazy that we trust people we do not know at all to reset our password. Why not use the people who actually know you to determine if you need access or not. The wiki at OWASP was actually very successful in this aspect, because there are social networks that actually control who has access to edit the pages and who hasn’t.
#10 – Adopt Agile MindsetIt is explained in the Agile Manifesto – http://agilemanifesto.org/
The agile mindset is about:
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaborations over contract negotiation
Most security projects deal with a large amount of uncertainty and complexity. The right spot for the Agile mindset.
Contract negotiations are done at the point where you know the least about what is ahead of you. Basically setting you up for failure.