I am sitting in a hotel room on the outskirts of Chicago (warning, social media security breach) reflecting on the UNITED Security Summit www.unitedsummit.org I was lucky enough to attend earlier this week.
For those of you who don’t know, this inaugural two-day summit centered around a data breach — a simulation that was analyzed technically, from the angles of ops, technology, prevention, and response. I was there as a UX researcher, watching, listening, and learning from people who spend their days (and sleepless nights, apparently) protecting critical assets from being compromised.
Stephen Dubner kicked off the summit by teaching us that the greatest risk of all for our security is accepting conventional wisdom. Then he shamed us all into washing our hands for the rest of the conference with a story about men who say they do, but really don’t — as he was reminding us that survey data is what people say — their declared preference and probably not really true, and that revealed preferences gathered by observation, are the only thing that really matters when one is calculating the real risk of human behavior. (This, by the way, is precisely why I am writing this from a hotel room. I am out on an ethnographic observation field trip to WATCH people — not just listen to what they tell me they think they are doing.)
But I digress. The real reason I am writing this is that @joshcorman‘s presentation on Unconventional Adversaries has been on my mind. His thesis is that with the rise of APTs, adaptive persistent adversaries, and chaotic actors like Anonymous having “fear the auditor more than the attacker” stance is bad juju.
And then he perked up my UX ears by telling some compelling stories about hackers — that all centered around their GOALS. Yes goals. All hackers tend to be deliberate, patient, adaptive, and persistent, but they have unique goals. Different hackers have different reasons for hacking — different asset targets and different methods. Some hackers just want to have fun and make a point — and others have pure evil malice as their motive.
It’s funny how we all “know” this stuff — but until we put a face to a name and hear a story, it all seems somehow detached and unreal. It made me consider adding hacker personas (see my last blog post on this topic) to our mix. But — that would be too much fun and we have to solve problems for the good guys.
So, tomorrow, I am going to be watching some people look at unauthorized change data. I am going to be watching and asking a lot of questions.
Who made that change? Does it matter?
What assets are affected? Do they have value?
What method is being used? What are you going to do next?
If you’re interested in learning more about how to achieve better security, watch this videocast with Josh Corman and Mike Dahn.