BSides Boston 2016

By regarding humans as the weakest link, contemporary information security perspectives disrespect users and business owners. We’ve failed in our attempts to tame the human. Code bases are getting larger and more complex while malware stays small and simple. People are universally terrible at applying patches, and patches may never actually reach the endpoint users due to layers of development responsibility. This problem will get exasperated as the steadily lower cost of IoT entry results in an onslaught of fly-by-night device makers that are unable to provide long-term maintenance support, leaving millions or billions of devices running unsupported code in their wake. Rather than persistently blame the human for the current troubled state of information security, we need act like hackers again and shift our perspective. Taking a Human-oriented security strategy changes the rules of the game, relieving users from the burden of past assumptions and allowing us to reassess what's possible to help them protect their environments. It’s well past time that we accept the need to change course, re-engage our inner hackers, and hack security.

In this briefing, I will discuss three key actions that security professionals can take to hack a human strategy into their regular routines: 1) Stop the blame by re-examining our core assumptions and changing our perspective on what it means to be secure, 2) Focus on solutions that show promise correcting inherent flaws, not on the problems that existing technologies fail to address, and 3) Collaborate with technology researchers to assist them in disrupting the security industry and potentially gain actionable value from participating in their research.