Why IT Security is fucked up ... ... and what we can do about it - - PowerPoint PPT Presentation

why it security is fucked up
SMART_READER_LITE
LIVE PREVIEW

Why IT Security is fucked up ... ... and what we can do about it - - PowerPoint PPT Presentation

Oct 24, 2022 126 likes •480 views

Why IT Security is fucked up ... ... and what we can do about it Stefan Schumacher www.sicherheitsforschung-magdeburg.de DeepSec 2014 Vienna, Austria 2014-11-20 $ Id: ItSec-Input.tex,v 1.4 2014/11/20 16:22:14 stefan Exp $ Stefan Schumacher

slide-1
SLIDE 1

Why IT Security is fucked up ...

... and what we can do about it Stefan Schumacher www.sicherheitsforschung-magdeburg.de DeepSec 2014 Vienna, Austria 2014-11-20

$ Id: ItSec-Input.tex,v 1.4 2014/11/20 16:22:14 stefan Exp $ Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 1 / 29

slide-2
SLIDE 2

ToC

1

Intro

2

Social Science

3

Psychology

4

What to do?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 2 / 29

slide-3
SLIDE 3

ToC

1

Intro

2

Social Science

3

Psychology

4

What to do?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 3 / 29

slide-4
SLIDE 4

About me

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 4 / 29

slide-5
SLIDE 5

About me

Head of the Magdeburg Institute for Security Research Editor of the Magdeburg Journal of Security Research Freelance Security Consultant Hacker for 20 years, ex-NetBSD developer Educational Science and Psychology Research on Social Engineering, Security Awareness, Organizational Security psychological profiling for social engineering my PoV is more a psychological PoV

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 5 / 29

slide-6
SLIDE 6

Psychology of Security

Fundamental Research about the Perception of Security Fundamental Research about Personality/Attitudes and Security Organizational Development and Security Cultural Differences Didactics (Teaching Methodology) of Security What to teach?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 6 / 29

slide-7
SLIDE 7

ToC

1

Intro

2

Social Science

3

Psychology

4

What to do?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 7 / 29

slide-8
SLIDE 8

Security in a Post NSA age?

Talk at AusCERT (Australia) 2014 Can there be »security« in a Post NSA age? Are the 5 eyes an almighty adversary? Panopticon Panspectron If so, why and how? If not, shouldn’t we just surrender?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 8 / 29

slide-9
SLIDE 9

Security in a Post NSA age?

Of course there can and will be security post NSA. Let’s discuss some problems and ideas. And have a holistic view (read: not just technical) use sociological system theory and 2nd order cybernetics use psychology to discuss human behaviour and experience reflect on the foundation of science and how useful are the methods we use?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 9 / 29

slide-10
SLIDE 10

Definition (Outrage as a Svc @OaaSvc)

Science is awesome. You aren’t doing science in infosec. Why not? Seems to be the overriding message of @0xKaishakunin #AusCERT2014

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 10 / 29

slide-11
SLIDE 11

Stand Back!

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 11 / 29

slide-12
SLIDE 12

Consequences for us?

What do the Snowden Leaks mean for us as security researchers? Let’s assume there is an adversary with almost unlimited resources. How do we have to change how security works? What research has to be done?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 12 / 29

slide-13
SLIDE 13

2nd Order Cybernetics

break the circlejerk

Cybernetics: transdisciplinary approach for exploring regulatory systems, their structures, constraints, and possibilities. Anything said, is said by an observer (Maturana/Varela) add the observer to the regulatory system: 2nd order cybernetics An observer acting in his field: 1st order cybernetics An observer discussing how he constructs his perception of the field he works in: 2nd order cybernetics (What the hell are we doing here?)

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 13 / 29

slide-14
SLIDE 14

Trust

Trust is one of the buzzwords here needs to be defined or explicated and operationalized (make it measurable) Niklas Luhmann explicated Trust in his 1968 Book Vertrauen as a »mechanism to reduce social complexity« social complexity is reduced with functional specialised subsystems Lawyers a experts for Laws, Hackers for IT-Sec, Physicians for Medicine etc. pp.

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 14 / 29

slide-15
SLIDE 15

Consequences

IT Security needs to professionalize beyond technical problems discussing the 31337th Buffer Overflow of the week won’t fix fundamental problems human factors have to be analysed extend IT Security to Information Security create a new scientific field of Information Security include Psychology, Sociology, Educational Science, Didactics and

  • thers
  • perationalize Information Security to make it measurable

create a new vocational field of Information Security backed by science

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 15 / 29

slide-16
SLIDE 16

ToC

1

Intro

2

Social Science

3

Psychology

4

What to do?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 16 / 29

slide-17
SLIDE 17

Why Psychology?

empirical and theoretical science describes, explains and predicts human behaviour and experiences human development and the internal and external causes and conditions Differential and Personality P., Social P., Industrial P., Organisational P., Pedagogical P.

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 17 / 29

slide-18
SLIDE 18

What is security?

Germany, Informatics

VIV A-Kriterien confidentiality integrity availability authenticity

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 18 / 29

slide-19
SLIDE 19

Paradigm Shift

see Thomas S. Kuhn The Structure of Scientific Revolution Paradigm: a distinct concept or thought patterns and basic assumptions Paradigm Shift: change of these assumption let’s change it

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 19 / 29

slide-20
SLIDE 20

Psychology and IT-Security?

My Operationalisation of InfoSec

Security is a latent social construct.

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 20 / 29

slide-21
SLIDE 21

Security and Psychology

Security is concluded by making Decisions Individuals make decisions based on their Biography, the Situation and how they perceive their Environment see: von Foerster, Luhmann, Spencer Brown, Baecker et.al. Psychology is the Science which researches these Topics. Therefore, Psychology is required to research Security. Psychology is the only Science able to research the basic fundamentals of Security.

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 21 / 29

slide-22
SLIDE 22

Washing your Hands

two maternity clinics in Vienna, the 1st with MDs the second with midwifes only more pregnant Women died in the 1st one pregnant women would rather give birth in the streets than be sent to the 1st clinic Ignaz Semmelweis discovered that Physicians transmit pathogenic agents (cadaverous poisoning) He proposed that Physicians should wash their Hands the death rate dropped 90% His Idea was rejected and he was considered to be crazy psychiatrised by force in Vienna

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 22 / 29

slide-23
SLIDE 23

Washing your Hands

two maternity clinics in Vienna, the 1st with MDs the second with midwifes only more pregnant Women died in the 1st one pregnant women would rather give birth in the streets than be sent to the 1st clinic Ignaz Semmelweis discovered that Physicians transmit pathogenic agents (cadaverous poisoning) He proposed that Physicians should wash their Hands the death rate dropped 90% His Idea was rejected and he was considered to be crazy psychiatrised by force in Vienna This can only be explained by Psychology

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 22 / 29

slide-24
SLIDE 24

Washing your Hands

two maternity clinics in Vienna, the 1st with MDs the second with midwifes only more pregnant Women died in the 1st one pregnant women would rather give birth in the streets than be sent to the 1st clinic Ignaz Semmelweis discovered that Physicians transmit pathogenic agents (cadaverous poisoning) He proposed that Physicians should wash their Hands the death rate dropped 90% His Idea was rejected and he was considered to be crazy psychiatrised by force in Vienna This can only be explained by Psychology

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 22 / 29

slide-25
SLIDE 25

1996: Ariane 5 Flight 501

320 000 000 Euro

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 23 / 29

slide-26
SLIDE 26

ToC

1

Intro

2

Social Science

3

Psychology

4

What to do?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 24 / 29

slide-27
SLIDE 27

Societal Problems

digital divide economy and IT checks and balances? How do politicians decide about things they don’t understand? (Max Weber again ...) and scientists? Why and How did Rijndael become AES? NSA? NIST? Illuminati?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 25 / 29

slide-28
SLIDE 28

Societal Problems

digital divide economy and IT checks and balances? How do politicians decide about things they don’t understand? (Max Weber again ...) and scientists? Why and How did Rijndael become AES? NSA? NIST? Illuminati?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 25 / 29

slide-29
SLIDE 29

Political Problems

Cyber-War? Cyber-Terror? discussed by political scientists – who often don’t understand technology discussed by IT sec – who often don’t understand social implications discussed by the military – who often don’t understand anything discussed by legal experts – who often don’t understand technology and social implications How to discuss Anonymous? Hacktivism? Neutral?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 26 / 29

slide-30
SLIDE 30

Political Problems

Cyber-War? Cyber-Terror? discussed by political scientists – who often don’t understand technology discussed by IT sec – who often don’t understand social implications discussed by the military – who often don’t understand anything discussed by legal experts – who often don’t understand technology and social implications How to discuss Anonymous? Hacktivism? Neutral?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 26 / 29

slide-31
SLIDE 31

Reflection

The information technology of society? The hackers of society? The intelligence services of society?

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 27 / 29

slide-32
SLIDE 32

Conclusion

IT-Security needs it’s own research field: security research with it’s own foundation, methods and tools rooted in:

◮ Maths as formal science ◮ CS/EE as engineering science ◮ Sociology, Political Science as social science ◮ Jurisprudence as normative science ◮ Philosophy as mother of all sciences ◮ Psychology as hub science Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 28 / 29

slide-33
SLIDE 33

Information Security Pedagogy

Curriculum Universities Vociational Schools Schools Didactics Whom to teach? What to teach? How to teach? Training J urisprudence Norms Philosophy Philosophy of Science Political Science Policies Governance Normative Processes Sociology Systems of Society Organisational Sociology Industrial Sociology Psychology Personality Traits and Security Research Methods Perceptions of Security Human Factors Maths Formal Science Electrical Engineering Computer Science

slide-34
SLIDE 34

sicherheitsforschung-magdeburg.de stefan.schumacher@sicherheitsforschung-magdeburg.de sicherheitsforschung-magdeburg.de/publikationen/ journal.html youtube.de/ Sicherheitsforschung Twitter: 0xKaishakunin Xing: Stefan Schumacher GnuPG: 9475 1687 4218 026F 6ACF 89EE 8B63 6058 D015 B8EF

Stefan Schumacher Why IT Security is fucked up ... DeepSec 2014 29 / 29