HitB2010Ams - Ten Crazy Ideas That Might Actually Change the State of Information Security

By Mark Curphey

Mark starts of by giving a very funny overview of his very impressive career. He currently has a non-security security job at Microsoft running the MSDN subscription services department. Being away from security has given him room to think about information security more.

His talk is about 10 crazy ideas that might change the state of information security. These ideas all cost little money, but may have a big impact.

#1 – Adopt Chinese Medicine Business Model

In China the doctor gets paid to keep you healthy, not to cure you. There are currently actually two companies that are experimenting with this business model.

#2 – Stop Human Pattern Matching

Humans seen things they expect so see. The brain is wired to see what it is expecting to see. This is why optical illusions work, which was demonstrated to the audience with two illusions. Security people do his all the time. I have XSS, this is going to happen, this vulnerability will cause this worm.

#3 – Community Driven Statistical modelling

An example of this is http://freerisk.org. It allows people to input and consume financial modelling data. In the security world there is no data that will give us some predictable model of how security behaves. Wine quality can actually be captured in a formula: Wine Quality = 12.145 + 0.00117 * winter rainfall + 0.0614 average growing season – 0.00386 harverst rainfall. Where is the equivalent of security? Rubbish you say? Well, the formula for wine quality is actually used in the field now

#4 – Teach Kids Computer Security

Computer Science students do often not know about IT security. It should be a core value of learning IT.

#5 – Make Developing Countries Centers for Security Excellence

IT security hotspots are where engineering is considered a good job.

#6 – Make hacking a competitive sport

If hacking is a competitive sport, nations might actually get good at it and it might just increase funding for IT security

#7 – Connected Information Security Framework

IT security tools do not talk to each other. You may want to get different part of IT security puzzle form different sources, but integrating the reports is very hard.

#8 – Embrace Design Driven Security

We must reward the builders AND the breakers. Not just the people who break IT Security.

#9 – Crowd Source Access Control

Resetting you banking password generally happens in a call center (probably in India). It is very crazy that we trust people we do not know at all to reset our password. Why not use the people who actually know you to determine if you need access or not. The wiki at OWASP was actually very successful in this aspect, because there are social networks that actually control who has access to edit the pages and who hasn’t.

#10 – Adopt Agile Mindset

It is explained in the Agile Manifesto – http://agilemanifesto.org/

The agile mindset is about:
  • Individuals and interactions over processes and tools
  • Working software over comprehensive documentation
  • Customer collaborations over contract negotiation
Within a constrained (time/resources) you write a working increment of the software.

Most security projects deal with a large amount of uncertainty and complexity. The right spot for the Agile mindset.

Contract negotiations are done at the point where you know the least about what is ahead of you. Basically setting you up for failure.

About the speaker:

Mark Curphey recently moved to a mainstream software management role at Microsoft running the MSDN Subscriptions engineering team. He started OWASP, ran foundstone and held various security positions at various banks around the world.


Not Published

0/1000 characters
Go Top