At the RSA conference, I attended a panel discussion entitled “Changing User Behavior: The Science of Awareness.” The panel focused on explaining the failure of traditional awareness efforts, and made suggestions about what improved solutions might look like. During the panel, surrounded by a room full of security professionals, it hit me: we are technologists trying to figure out how to solve a communication problem. Maybe security’s “people problem” is relying on the wrong people to solve this challenge. Are People The Problem? Our industry is quick to put the blame on “users” when security problems occur. Whether it is the takeover of CNN and the AP’s twitter feeds, or a hack of Target’s HVAC contractor leading to their breach, people are[…]

Last week at the RSA Conference I had the opportunity to attend the “Mobile Security Battle Royale“, featuring a great panel of experts on mobile phone security. Moderated by Zach Lanier, the panel featured Tiago Assumpção and Collin Mulliner paired off against Charlie Miller and Dino Dai Zovi (co-authors of iOS Hacker’s Handbook).  As many great panels typically do, this panel featured no slides and no set talking points. Instead, Zach asked the panel some great questions to just get the ball rolling, and the panel started firing off great quotes left and right. I got busy live-tweeting the session and got (and re-tweeted) a few great quotes from many of the panel members which I have embedded below. One of the recurring themes was “which is[…]

At the RSA Conference today, I attended an excellent panel discussion titled Y U NO HAZ METRICS? The speakers were David Mortman, Jack Jones, Alex Hutton, and Caroline Wong, and the panel was was moderated by John Johnson. The panel discussed risk management more than they discussed specific metrics, which was slightly different than what I expected. However, the panel surpassed my expectations. A commenter towards the end of the session made an analogy which I thought was a good one. He said that risk management is like risotto. It has three basic ingredients, and you put them together and adjust the balance until it tastes good to you. In other words, no two risottos (or risk management programs) will[…]

This morning, the 2013 RSA Conference truly got kicked off. Conference attendees gathered by the thousands into the main keynote hall at the Moscone Center in San Francisco. First up was a rousing set of Queen hits by a Queen tribute band. Unlike past years where a popular song is performed using primarily security-related lyrics, this year the music stayed mostly true to form. “We Will Rock You”, “We Are The Champions”, and “This Thing Called Love” were performed, and only a few lines at the very end of the last number were changed to security-related lyrics. The lead singer of the tribute band (The Queen Extravaganza) was quite good! Art Coviello, Executive Chairman of RSA followed the band and[…]

And now it’s time for a commercial message. I was selected to be a Peer2Peer session facilitator for the 2012 RSA conference, taking place February 27-March 2 in San Francisco. My session is entitled Improving Security Policy: What Works? The session will occur February 29 at 8am, more details are at this link. I plan to facilitate discussions about both what is wrong with Security Policy, and what works to improve it. Google’s new privacy policy will likely come up in discussion, along with some of my notions on prioritizing policy. I invite all those who have had to write policy, read policy, and/or put policy into practice to attend. It should be a good discussion, and when we’re done[…]

If you’re interested in online security, you’ve probably heard about HBGary. If you haven’t, here’s a brief rundown with a few links: A security firm, HBGary (or, more accurately, HBGary’s subsidiary HBGary Federal) announced that they had discovered the names of some of the supposed ringleaders of the “hacktivist” organization Anonymous. This “angered the hive” and – rather than the generally low-risk and unsophisticated DDOS attacks for which Anonymous is better known – Anonymous used a combination of social engineering, SQL Exploits, and password cracking to compromise one of HBGary’s servers. They leveraged that to get into multiple servers, ultimately gaining access to HBGary’s email and no few internal documents – including business plans and proposals to potential clients. Anonymous[…]