Getting Past Blame - A Human Strategy for Hacking Security
Michael Figueroa at BSides Boston 2016
By regarding humans as the weakest link, contemporary information security perspectives disrespect users and business owners. We’ve failed in our attempts to tame the human. Code bases are getting larger and more complex while malware stays small and simple. People are universally terrible at applying patches, and patches may never actually reach the endpoint users due to layers of development responsibility. This problem will get exasperated as the steadily lower cost of IoT entry results in an onslaught of fly-by-night device makers that are unable to provide long-term maintenance support, leaving millions or billions of devices running unsupported code in their wake. Rather than persistently blame the human for the current troubled state of information security, we need act like hackers again and shift our perspective. Taking a Human-oriented security strategy changes the rules of the game, relieving users from the burden of past assumptions and allowing us to reassess what's possible to help them protect their environments. It’s well past time that we accept the need to change course, re-engage our inner hackers, and hack security.
In this briefing, I will discuss three key actions that security professionals can take to hack a human strategy into their regular routines: 1) Stop the blame by re-examining our core assumptions and changing our perspective on what it means to be secure, 2) Focus on solutions that show promise correcting inherent flaws, not on the problems that existing technologies fail to address, and 3) Collaborate with technology researchers to assist them in disrupting the security industry and potentially gain actionable value from participating in their research.
Michael A. Figueroa, CISSP, is the Cyber Innovations and Services Lead at Draper in Cambridge, MA. He primarily focuses on transitioning an advanced secure processor based on the open RISC-V ISA to market. He also serves as the program manager for advanced research in reverse engineering tools and applying non-security emerging technologies such as deep machine learning and human analytics to security problems, designs secure solutions based on those research technologies and others from outside Draper, and manages service delivery for integrating those technologies into existing IT environments. He previously focused on large scale system integration with mobile and cloud technologies as a research and software development manager for an innovative secure network and communications platform. He has also served as a CISO at a late-stage financial services startup, business executive for a security consulting startup, and managed security integration for several Government and commercial large-scale systems integration efforts. In his spare time, he is a certified youth soccer coach, world traveler, and philosopher. He holds a B.S. in Brain and Cognitive Sciences from MIT and a M.F.S. in High Tech Crime Investigations from the George Washington University. His recent publications include “Reduced Realistic Attack Plan Surface for Identification of Prioritized Attack Goals” and “A SOUND Approach to Security in Mobile and Cloud-Oriented Environments.”
In this briefing, I will discuss three key actions that security professionals can take to hack a human strategy into their regular routines: 1) Stop the blame by re-examining our core assumptions and changing our perspective on what it means to be secure, 2) Focus on solutions that show promise correcting inherent flaws, not on the problems that existing technologies fail to address, and 3) Collaborate with technology researchers to assist them in disrupting the security industry and potentially gain actionable value from participating in their research.
Michael A. Figueroa, CISSP, is the Cyber Innovations and Services Lead at Draper in Cambridge, MA. He primarily focuses on transitioning an advanced secure processor based on the open RISC-V ISA to market. He also serves as the program manager for advanced research in reverse engineering tools and applying non-security emerging technologies such as deep machine learning and human analytics to security problems, designs secure solutions based on those research technologies and others from outside Draper, and manages service delivery for integrating those technologies into existing IT environments. He previously focused on large scale system integration with mobile and cloud technologies as a research and software development manager for an innovative secure network and communications platform. He has also served as a CISO at a late-stage financial services startup, business executive for a security consulting startup, and managed security integration for several Government and commercial large-scale systems integration efforts. In his spare time, he is a certified youth soccer coach, world traveler, and philosopher. He holds a B.S. in Brain and Cognitive Sciences from MIT and a M.F.S. in High Tech Crime Investigations from the George Washington University. His recent publications include “Reduced Realistic Attack Plan Surface for Identification of Prioritized Attack Goals” and “A SOUND Approach to Security in Mobile and Cloud-Oriented Environments.”