BSides Las Vegas – Incidents happen, react and learn from them

Don’t be afraid to speak about incidents, and use knowledge and experience to benefit yourself and others.
 
In his keyote address titled “Beyond good and evil” at BSides Las Vegas, threat modelling author and expert Adam Shostack claimed that there is a danger of security professionals “burning out” due to levels of exhaustion, cynicism and efficacy.
 
He said: “If we cannot prevent our networks from getting hacked, it seems to me to relate to efficacy, and that relates to burnout. Experienced management look like they are pouring money into a black hole as they know we will ask again in three months for more and you still won’t know if you’ve been hacked. Sometimes it is too hard to defend our systems.”
 
He claimed that despite an investment in controls and “what we are told is best practice or compliance”, what is missing is the lessons learned after the fact to make sure it doesn’t happen again. He said: “But we are missing the feedback loops and we do not plug what we have learned into anything, and we are missing the science. We make statements which we believe in and are not tied to our profession – that is why we are burned out.”
 
Shostack claimed that we love to hear evil, but the problem is we do not see or speak “evil”, and never own up to the problem wbich has occcured. He especially praised Bit9 CTO Harry Sverdlove for the detailing of their incident in 2013, as Sverdlove said: “We didn’t lose any customers or prospects, in fact it increased the respect from many of our customers”.
 
Shostack said: “You are part of the problem – part of problem as you don’t talk about issues and sweep them under the rug. You’re afraid and don’t have to be, but you let people who are afraid win and instead of talking, you just do the minimum and if it is not required by law, you don’t say anything.”
 
He concluded by acknowledging that talking about incidents at scale is difficult, but it is hard to convince people it is the right thing to do, but said that providing details on the truth is better than being a press target for a long time.