security is hard
TRANSCRIPT
© 2010 – MAD Security, LLCAll rights reserved
Security Is Hard.Mike MurrayManaging Partner
MAD Security / Hacker Academy
Twitter: @mmurray
Information Security is Constantly Evolving
No I mean REALLY evolving.
Innovators
Early Adopters
Early Majority
Late Majority
Laggards
Vulnerability Distribution
11
So what?
NetworkHuman /Organization
Service /Server
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 20110
100
200
300
400
500
600
700
800
900
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
160,000,000
180,000,000
200,000,000
Datalossdb.org Incidents over Time
Number of Incidents
Total Records
Network
Client
Human /Organization
Application
Service /Server
WiFi Security
Vulnerability Management
IDS IPS
Web Application Security
Endpoint Security
ApplicationWhitelisting
Database Security
Secure Coding / SDLC
APTData Extrusion
GRC
Phishing
Spear Phishing
Mobile Apps
BYOD
SecurityTraining
Role-Based Security
End User “Awareness”
Least Technical Most Technical
Security Awareness
Architecture
Audit
Management
Forensics/IR
Operations
Hacker
The Incentives are Wrong.
What do we do about it?
Skills, Not Certifications
Systems Thinking
Just-In-Time (JIT)Education
Constantly Evolving Education
• Materials need to evolve as our industry does
• Educators need to be rewriting courses on a monthly timeframe, not a yearly or every 3 year timeframe.
Education needs to Change!
Improve your HUMANS…
Improve your
SECURITY.