dealing with adversarial relationships in information
play

Dealing with Adversarial Relationships in Information Security - PowerPoint PPT Presentation

Nov 16, 2023 •143 likes •528 views

Dealing with Adversarial Relationships in Information Security Daniel Crowley, Head of Research Daniel Crowley Head of Research X-Force Red Common Misconceptions #1: We Create Problems We do not create vulnerabilities, only find them QA

  1. Dealing with Adversarial Relationships in Information Security Daniel Crowley, Head of Research Daniel Crowley Head of Research X-Force Red

  2. Common Misconceptions

  3. #1: We Create Problems We do not create vulnerabilities, only find them – QA doesn't create bugs, do they? – Vulns come from development, design, and inheritance We are not making more work – We identifying where work already needs doing

  4. #2: We Overstate Severity If we're not careful, this may be true – Vuln scanners and pen testers are incentivized to inflate severity – We may feel personal attachment to our findings If everything is Critical, nothing is – Severity exists to allow prioritization of limited resources – Impact must be tempered by pre-requisites (e.g. BEAST) Have a real, thought-out framework for severity

  5. #3: We Are Incompetent "If you're a real hacker why do you need" – Internal network access – Credentials – Documentation A bug you don't really understand may look like bullshit – SSRF Be ready to explain your job / findings

  6. #4: We Want to Get People Fired Most of the time, this isn't true Thankfully, we aren't incentivized to get people fired

  7. #5: We Are Trying to Extort People Most of us aren't Mostly a problem in vulnerability disclosure If you don't understand someone's motivation, you may assign them one – Alluding to your motivation helps

  8. Language-Games

  9. Ludwig Wittgenstein German philosopher Focused on communication and miscommunication

  10. What is a Language-Game? Language applied to some mode of life – A verbal protocol with a goal Goal can be many things including: – Education – Conveyance of facts and figures – Instruction – Comfort – Recreation / Entertainment

  11. A simple, strict language-game A surgeon has a series of command words they can speak Every command word is first repeated by the assistant as acknowledgement Some of these are tool names The assistant provides the tool (scalpel, forceps) Some of these are processes (wipe, The assistant performs the associated action pressure)

  12. A deceptive language-game When someone "wants to debate" you on the Internet And they're "just asking questions" And they want to "consider all ideas equally" It may be that they are not playing the Collaborative Mutual Education game They may be playing the Promote Bad Ideas game

  13. When language-games clash You may share a fictional story, playing the Storytelling game Your story may mistakenly be received as History Lessons You may be playing the Relax With A Friend game But if you ask someone if they want to watch Netflix and chill They might think you're playing a very different game

  14. Infosec language games Convey Risk Communicate Bug Details Security Education Share Threat Information Get Management Support Prove I'm a Good Hacker

  15. Some adversarial games Prove that I'm Not Stupid Keep My Job Reduce My Workload Meet the Deadline Keep Customers / Contract Pass the Audit

  16. Identifying and Resolving Adversarial Games

  17. Prove that I'm Not Stupid Ego may be hurt when mistakes are pointed out When: – Nobody likes having their baby called ugly – Disclosing issues to the person responsible for them – There are lots of ugly babies nonetheless Game player will try to prove they're smart or you're stupid Possible tells: – Downplay / denial of bugs they are responsible for – Condescension – Unnecessary displays of knowledge – Pedantic nitpicking

  18. Prove that I'm Not Stupid - Fix Provide an example of good security along with bad – Not your job, but easier than fighting ego Give an out like "nobody gets this right first try" Don't do things like putting people's passwords in reports – Don't make people feel stupid and you won't have to deal with this Find something to agree with them on

  19. Keep My Job Some people may fear for their job When: – At times rightfully so – Disclosing issues to the person responsible for them with management present In most cases, vulns aren't a job-ender Game player will try to maximize their perceived worth Possible tells include: – Blame shifting – Denial / downplay of all bugs they may have created – Attacks on your competence / character – Reminders of their worth / effort

  20. Keep My Job - Fix If it's not malicious or criminally negligent – "It's an easy mistake to make" Remind that even the best programmers make bugs – Security bugs are a subclass of bugs "Security is a process" If possible, do not include managers on the call

  21. Reduce My Workload Some developers are overworked When: – Disclosing to someone responsible for addressing the – Others are not overworked but want to do less issue work anyway – Still others are required to fix security bugs free by contract Possible tells include: Won't be this if game player isn't responsible for – Asking if existing controls are enough addressing issue! – Exaggerating cost / effort of fix Game player will try to minimize response effort – Shifting responsibility – Denial / downplay of bugs they are responsible for – Throwing red tape

  22. Reduce My Workload - Fix Discuss solutions, especially low-effort but effective ones – "There are plug-in frameworks built to mitigate CSRF" – "You can use NaCl and not have to create your own cryptosystem" – "Your web framework has a drop-in authc/authz system you can use" Refute bug denials If needed, include their manager on the call

  23. Meet the Deadline Fixing bugs takes time When: Some devs get too little time to work – Disclosing issues – Speed to market means more profit Some security tests get thrown in right before Possible tells include: release allowing no time for security fixes – Denial of only deadline blocking bugs More likely to be played by management – Asking questions about how long to fix Can't be this with no deadline – Can it be fixed after go-live Game player will try to reduce fix time – Throwing red tape

  24. Meet the Deadline - Fix Suggest quickly implemented solutions for hard to fix issues Remind them that severity rankings exist to aid prioritization Throw the person who decided to schedule security testing a week before go-live under the bus

  25. Keep Customers / Contract Some people see security and usability as a When: dichotomy – Disclosing issues, usually to mgmt / sales- – It isn't, fixing a buffer overflow doesn't change involved people UX – Bug readout call with contract buyer and seller Some people want to deny bug existence to avoid damaging company image Possible tells include: – These people are shitty – Denial / downplay of all bugs Game player will minimize bugs and maximize their own value – Mentioning customer impact of fixing bugs – "Feature not bug"

  26. Keep Customers / Contract - Fix Point out false dichotomy between usability / security If doing coordinated vulnerability disclosure: – Remind them bugs are going public either way – They choose how to respond to early warning about the bugs – They can be the hero or the villain (don't actually say this) Point out that customers hate having their identity stolen more than UX changes

  27. Pass the Audit Some security testing is done for compliance When: – PCI – Test readout as part of audit – HIPAA – Govt-mandated Potential tells include: Audits are not fun – Denial of only audit blocking bugs People usually want to get back to business as – Bringing up audit language / compliance terms usual Game player will focus on passing the audit as cleanly as possible

  28. Pass the Audit - Fix Remind them you don't decide pass/fail – Unless you do

  29. Punish For the Outage Outages cost money When: They're also a risk associated with testing in prod – You took something down by mistake If you cause one, you will have people angry at you Tells: – Pretty obvious

  30. Punish For the Outage - Fix Reframe the situation – "I'm so glad we found this problem; all it took was one laptop and a mistake" – "Can you imagine if someone was TRYING to do this?" – People have thanked me at the end of a call where they had planned to burn me at the stake Make sure you mention you're aware of and regret the outage Ask if testing can be switched to a non-prod environment (if applicable) Remember: – It isn't really your fault, you weren't trying to knock it over – Every seasoned security tester has at least one of these stories

  31. General Advice

  32. General tips – Identifying games Asking for confirmation can help identification – Works well for Pass the Audit – Doesn't work for Prove I'm not Stupid Learn about the dynamics of the situation – Who are the players? – What do they stand to gain / lose? Use process of elimination to narrow possibilities – Can't be Meet the Deadline with no deadline

  33. General tips – Defending bugs Be honest with severity rankings – If every bug is High / Crit, none of them are – Verbose error messages aren't as bad as SQLi Create air-tight bug reports – Give evidence of the bug's existence and impact – Severity should consider impact AND pre-requisites

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Conflicts of Interest: Dealing with the Inevitable! Conflicts of Interest: Dealing with the

Conflicts of Interest: Dealing with the Inevitable! Conflicts of Interest: Dealing with the

Conflicts of Interest: Dealing with the Inevitable! Conflicts of Interest: Dealing with the Inevitable! Conflicts of interest are inherent in all human relationships. Charlotte Jefferies Horty, Springer & Mattern Be Sensitive to,

222 views • 4 slides
Dealing With The Irate Customer Dealing With The Irate Customer Dealing with difficult

Dealing With The Irate Customer Dealing With The Irate Customer Dealing with difficult

3/23/2016 Dealing With The Irate Customer Dealing With The Irate Customer Dealing with difficult conversations Dealing with angry customers Dealing with dissatisfied customers Problem solving model Three breakthrough techniques

637 views • 17 slides
Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs William Wang 10:30 11:00 Break - 11:00 12:15 Adversarial Examples Sameer Singh 12:15 12:30 Conclusions and Question Answering William

1.75k views • 105 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain TPMPC 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

925 views • 69 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain EUROCRYPT 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

1.11k views • 57 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
Living l life o on a See ee-Saw aw Dealing with Borderline Personality Disorder Becky

Living l life o on a See ee-Saw aw Dealing with Borderline Personality Disorder Becky

Living l life o on a See ee-Saw aw Dealing with Borderline Personality Disorder Becky Blackwell Define Borderline Personality Disorder Symptoms of BPD Fear of abandonment Unstable relationships Impulsive, self-destructive

342 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake 1 Why this is interesting: Safety. Interpretability.

881 views • 22 slides
AIRWeb 2009 The Potential for Research and Development in Adversarial Information Retrieval

AIRWeb 2009 The Potential for Research and Development in Adversarial Information Retrieval

AIRWeb 2009 The Potential for Research and Development in Adversarial Information Retrieval Brian D. Davison Computer Science and Engr., Lehigh University 2 AIRWeb after 5 years Self-examination natural Redirection possibilities

681 views • 39 slides
Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba

Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba

Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba AliMe X-Lab Outline GAN Definition and formulation Saddle point optimization Vanishing gradient Alternative objective for Generator

516 views • 25 slides
Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr & Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security Seminar, Stanford University, 2017-01-17 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

939 views • 44 slides
Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
DCLARATION DE LIENS D'INTRT AVEC LA PRSENTATION Intervenant : Maxime TAPPONNIER, Sion

DCLARATION DE LIENS D'INTRT AVEC LA PRSENTATION Intervenant : Maxime TAPPONNIER, Sion

DCLARATION DE LIENS D'INTRT AVEC LA PRSENTATION Intervenant : Maxime TAPPONNIER, Sion Je n'ai pas de lien d'intrt dclarer Leon de modestie Dr Maxime Tapponnier Cardiology department Sion & CHUV Hospital Switzerland

360 views • 19 slides
Complementizer Deletion in Embedded Gapping in Spanish Max Bonke mbonke@uni-koeln.de Sophie Repp

Complementizer Deletion in Embedded Gapping in Spanish Max Bonke mbonke@uni-koeln.de Sophie Repp

Complementizer Deletion in Embedded Gapping in Spanish Max Bonke mbonke@uni-koeln.de Sophie Repp sophie.repp@uni-koeln.de ECBAE 2020 15.07.2020 Max Bonke & Sophie Repp (ECBAE 2020) Comp Deletion in Embedded Gapping 15.07.2020 1 / 22

556 views • 36 slides
BIOLOGY Progressive Science Initiative This material is made freely available at www.njctl.org

BIOLOGY Progressive Science Initiative This material is made freely available at www.njctl.org

Slide 1 / 21 Slide 2 / 21 New Jersey Center for Teaching and Learning BIOLOGY Progressive Science Initiative This material is made freely available at www.njctl.org and is intended for the non-commercial use of Animal & Plant Lab

280 views • 4 slides
SUPERVASION PROJECT SUPERVISION BY OBSERVATION USING INDUCTIVE PROGRAMMING DAVID NIEVES CORDONES

SUPERVASION PROJECT SUPERVISION BY OBSERVATION USING INDUCTIVE PROGRAMMING DAVID NIEVES CORDONES

SUPERVASION PROJECT SUPERVISION BY OBSERVATION USING INDUCTIVE PROGRAMMING DAVID NIEVES CORDONES daniecor@dsic.upv.es CARLOS MONSERRAT ARANDA cmonserr@dsic.upv.es JOS HERNNDEZ ORALLO jorallo@dsic.upv.es DAVID NIEVES CORDONES -

248 views • 24 slides
Objectives Objectives Understand the hazards that exist in long term care Learn how to

Objectives Objectives Understand the hazards that exist in long term care Learn how to

The Arkansas Self-Insurance Trust and Mike Johnson & Associates present Exposure Control Practices for Housekeeping and Laundry Staff Todays Presenter: Darrell G. Toenjes, ARM, CHSP, CWCP Darrell G. Toenjes, ARM, CHSP, CWCP Healthcare

487 views • 11 slides
Laboratory Equipment & Safety Symbols CHEMISTRY GRADE 10 Laboratory Equipment Beaker

Laboratory Equipment & Safety Symbols CHEMISTRY GRADE 10 Laboratory Equipment Beaker

Laboratory Equipment & Safety Symbols CHEMISTRY GRADE 10 Laboratory Equipment Beaker Mortar and Pestle Laboratory Equipment Watch Glass Evaporating Dish Laboratory Equipment Florence (Volumetric) Plastic Wash Bottle Flask (Washing

409 views • 21 slides
TractoR and Other Software Jon Clayden <j.clayden@ucl.ac.uk> DIBS Teaching Seminar, 15 Nov

TractoR and Other Software Jon Clayden <j.clayden@ucl.ac.uk> DIBS Teaching Seminar, 15 Nov

TractoR and Other Software Jon Clayden <j.clayden@ucl.ac.uk> DIBS Teaching Seminar, 15 Nov 2016 Photo by Jos Martn Ramrez Carrasco https://www.behance.net/martini_rc TractoR A platform for multimodal image analysis A

728 views • 25 slides
CS 184: Foundations of Computer Graphics Kinematics of Articulated Bodies Rahul Narain

CS 184: Foundations of Computer Graphics Kinematics of Articulated Bodies Rahul Narain

CS 184: Foundations of Computer Graphics Kinematics of Articulated Bodies Rahul Narain Kinematics vs. dynamics Kinematics = motion but no forces Keyframing, motion capture, etc. Dynamics = motion from forces Simulation

473 views • 35 slides

More recommend