Presentation on the need to re-examine how we engineer systems (taking service providers as an example) and the implications on how we quantify cyber risk if we want to take this message into the board room (as given at BT’s SnoopCon 2019 and Cisco’s June 2019 Knowledge Network webinar for service providers).
Having delivered security consultancy as part of Portcullis/Cisco for over 15 years, I’ve seen a variety of shades of broken. Since I recently spent some time on secondment to one of our customers to help them design, build and operationalise security as part of their digital transformation programme, I got to thinking: what would I do if I wanted to get projects delivered right? With apologies to grsec, Jericho Forum, BeyondCorp and Trusted Computing, what followed was part philosophy, part technical brain dump, the result being my take on security engineering and how to build defensible systems. This talk includes the following hits:
- Helping the blue team – a case study in 3 parts…
- Blue doesn’t have the man power to adopt gift wrapped improvements let alone offensive research thrown over the wall
- Static passwords – why the hell are we still using them?
- Vulnerability management – didn’t we say blacklists were bad?
- Forget about penetration testing – what are your controls?
- Is there another way to report – why don’t businesses listen to us?
- Monetising MITRE – can we make money out of CVEs?
