why it security is fucked up
play

Why IT Security is fucked up ... ... and what we can do about it - PowerPoint PPT Presentation

Oct 24, 2022 •126 likes •477 views

Why IT Security is fucked up ... ... and what we can do about it Stefan Schumacher www.sicherheitsforschung-magdeburg.de DeepSec 2014 Vienna, Austria 2014-11-20 $ Id: ItSec-Input.tex,v 1.4 2014/11/20 16:22:14 stefan Exp $ Stefan Schumacher

  1. Why IT Security is fucked up ... ... and what we can do about it Stefan Schumacher www.sicherheitsforschung-magdeburg.de DeepSec 2014 Vienna, Austria 2014-11-20 $ Id: ItSec-Input.tex,v 1.4 2014/11/20 16:22:14 stefan Exp $ Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 1 / 29

  2. ToC Intro 1 Social Science 2 Psychology 3 What to do? 4 Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 2 / 29

  3. ToC Intro 1 Social Science 2 Psychology 3 What to do? 4 Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 3 / 29

  4. About me Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 4 / 29

  5. About me Head of the Magdeburg Institute for Security Research Editor of the Magdeburg Journal of Security Research Freelance Security Consultant Hacker for 20 years, ex-NetBSD developer Educational Science and Psychology Research on Social Engineering, Security Awareness, Organizational Security psychological profiling for social engineering my PoV is more a psychological PoV Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 5 / 29

  6. Psychology of Security Fundamental Research about the Perception of Security Fundamental Research about Personality/Attitudes and Security Organizational Development and Security Cultural Differences Didactics (Teaching Methodology) of Security What to teach? Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 6 / 29

  7. ToC Intro 1 Social Science 2 Psychology 3 What to do? 4 Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 7 / 29

  8. Security in a Post NSA age? Talk at AusCERT (Australia) 2014 Can there be »security« in a Post NSA age? Are the 5 eyes an almighty adversary? Panopticon � Panspectron If so, why and how? If not, shouldn’t we just surrender? Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 8 / 29

  9. Security in a Post NSA age? Of course there can and will be security post NSA. Let’s discuss some problems and ideas. And have a holistic view (read: not just technical) use sociological system theory and 2nd order cybernetics use psychology to discuss human behaviour and experience reflect on the foundation of science and how useful are the methods we use? Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 9 / 29

  10. Definition (Outrage as a Svc @OaaSvc) Science is awesome. You aren’t doing science in infosec. Why not? Seems to be the overriding message of @0xKaishakunin #AusCERT2014 Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 10 / 29

  11. Stand Back! Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 11 / 29

  12. Consequences for us? What do the Snowden Leaks mean for us as security researchers? Let’s assume there is an adversary with almost unlimited resources. How do we have to change how security works? What research has to be done? Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 12 / 29

  13. 2nd Order Cybernetics break the circlejerk Cybernetics: transdisciplinary approach for exploring regulatory systems, their structures, constraints, and possibilities. Anything said, is said by an observer (Maturana/Varela) add the observer to the regulatory system: 2nd order cybernetics An observer acting in his field: 1st order cybernetics An observer discussing how he constructs his perception of the field he works in: 2nd order cybernetics (What the hell are we doing here?) Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 13 / 29

  14. Trust Trust is one of the buzzwords here needs to be defined or explicated and operationalized (make it measurable) Niklas Luhmann explicated Trust in his 1968 Book Vertrauen as a »mechanism to reduce social complexity« social complexity is reduced with functional specialised subsystems Lawyers a experts for Laws, Hackers for IT-Sec, Physicians for Medicine etc. pp. Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 14 / 29

  15. Consequences IT Security needs to professionalize beyond technical problems discussing the 31337th Buffer Overflow of the week won’t fix fundamental problems human factors have to be analysed extend IT Security to Information Security create a new scientific field of Information Security include Psychology, Sociology, Educational Science, Didactics and others operationalize Information Security to make it measurable create a new vocational field of Information Security backed by science Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 15 / 29

  16. ToC Intro 1 Social Science 2 Psychology 3 What to do? 4 Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 16 / 29

  17. Why Psychology? empirical and theoretical science describes, explains and predicts human behaviour and experiences human development and the internal and external causes and conditions Differential and Personality P., Social P., Industrial P., Organisational P., Pedagogical P. Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 17 / 29

  18. What is security? Germany, Informatics VIV A-Kriterien confidentiality integrity availability authenticity Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 18 / 29

  19. Paradigm Shift see Thomas S. Kuhn The Structure of Scientific Revolution Paradigm: a distinct concept or thought patterns and basic assumptions Paradigm Shift: change of these assumption let’s change it Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 19 / 29

  20. Psychology and IT-Security? My Operationalisation of InfoSec Security is a latent social construct. Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 20 / 29

  21. Security and Psychology Security is concluded by making Decisions Individuals make decisions based on their Biography, the Situation and how they perceive their Environment see: von Foerster, Luhmann, Spencer Brown, Baecker et.al. Psychology is the Science which researches these Topics. Therefore, Psychology is required to research Security. Psychology is the only Science able to research the basic fundamentals of Security. Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 21 / 29

  22. Washing your Hands two maternity clinics in Vienna, the 1st with MDs the second with midwifes only more pregnant Women died in the 1st one pregnant women would rather give birth in the streets than be sent to the 1st clinic Ignaz Semmelweis discovered that Physicians transmit pathogenic agents (cadaverous poisoning) He proposed that Physicians should wash their Hands the death rate dropped 90% His Idea was rejected and he was considered to be crazy psychiatrised by force in Vienna Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 22 / 29

  23. Washing your Hands two maternity clinics in Vienna, the 1st with MDs the second with midwifes only more pregnant Women died in the 1st one pregnant women would rather give birth in the streets than be sent to the 1st clinic Ignaz Semmelweis discovered that Physicians transmit pathogenic agents (cadaverous poisoning) He proposed that Physicians should wash their Hands the death rate dropped 90% His Idea was rejected and he was considered to be crazy psychiatrised by force in Vienna This can only be explained by Psychology Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 22 / 29

  24. Washing your Hands two maternity clinics in Vienna, the 1st with MDs the second with midwifes only more pregnant Women died in the 1st one pregnant women would rather give birth in the streets than be sent to the 1st clinic Ignaz Semmelweis discovered that Physicians transmit pathogenic agents (cadaverous poisoning) He proposed that Physicians should wash their Hands the death rate dropped 90% His Idea was rejected and he was considered to be crazy psychiatrised by force in Vienna This can only be explained by Psychology Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 22 / 29

  25. 1996: Ariane 5 Flight 501 320 000 000 Euro Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 23 / 29

  26. ToC Intro 1 Social Science 2 Psychology 3 What to do? 4 Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 24 / 29

  27. Societal Problems digital divide economy and IT checks and balances? How do politicians decide about things they don’t understand? (Max Weber again ...) and scientists? Why and How did Rijndael become AES? NSA? NIST? Illuminati? Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 25 / 29

  28. Societal Problems digital divide economy and IT checks and balances? How do politicians decide about things they don’t understand? (Max Weber again ...) and scientists? Why and How did Rijndael become AES? NSA? NIST? Illuminati? Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 25 / 29

  29. Political Problems Cyber-War? Cyber-Terror? discussed by political scientists – who often don’t understand technology discussed by IT sec – who often don’t understand social implications discussed by the military – who often don’t understand anything discussed by legal experts – who often don’t understand technology and social implications How to discuss Anonymous? Hacktivism? Neutral? Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 26 / 29

Recommend

fake its fucked up anyways How and why we are wrong on the Internet Food historian

fake its fucked up anyways How and why we are wrong on the Internet Food historian

I dont care that its fake its fucked up anyways How and why we are wrong on the Internet Food historian critical to story about meatballs Editor Oliver Grassman of Sweden.se: We based this on what we thought was the

747 views • 48 slides
Richard M. Nixon 1) How to raise a fucked-up kid 2) Fighting Wars for Fun and Profit 3)

Richard M. Nixon 1) How to raise a fucked-up kid 2) Fighting Wars for Fun and Profit 3)

Lessons From the Life of Richard M. Nixon 1) How to raise a fucked-up kid 2) Fighting Wars for Fun and Profit 3) Red-Baiting for dummies 4) Dogs are cute 5) Makeup is important on TV Image not licensed - Removed for internet distribution

413 views • 18 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
No, Tuesday's No Good. Can I Get No, Tuesday's No Good. Can I Get Back to You After the

No, Tuesday's No Good. Can I Get No, Tuesday's No Good. Can I Get Back to You After the

No, Tuesday's No Good. Can I Get No, Tuesday's No Good. Can I Get Back to You After the Apocalypse? Back to You After the Apocalypse? You are all totally fucked. Part 1 The Death of Everything Newspapers But Dont, You Know, Pay For Them

993 views • 52 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security Specialists M. ANGELA SASSE, RUHR UNIVERSITY BOCHUM & UCL The problem MENSCHLICH WELTOFFEN LEISTUNGSSTARK 2 ENISA Report December 2018

362 views • 33 slides
Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Material and some slide content from: - Software Architecture: Foundations, Theory, and Practice - Krzysztof Czarnecki Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security: The protection a ff orded a

160 views • 4 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security policies Computer Security Basic concepts Peter Reiher Security policies for real systems January 13, 2005 Lecture 2 Lecture 2 Page 1

347 views • 9 slides
Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides

More recommend