Bruce Schneier Talk

Posted on by Andy S

I recently attended a talk by Bruce Schneier talking about Automation and his new book “Click here to kill everybody” (charming)

Though the talk wasn’t specific to SOAR, it’s still relevant to IT Security I think this borders on similar concepts to SOAR, so here are my personal notes from the talk

  • There will always be vulnerabilities as all software is crap…. we want it cheap, fast and now
  • All computers are platforms and therefore extensible by design
  • Bigger means complex, more attack surface, more insecure
  • Putting 2 Systems together which were not designed together, creates a vulnerability, it’s no one’s fault but it’s there
  • Security hasn’t changed in 10 years but computers platforms are changing a lot (IOT etc)
  • Stealing blood type information from a hospital is bad, changing blood type information is worse (integrity vs confidentiality)
  • Computers break at scale, all at once, think contact-less hotel door, once a vulnerability is discovered every door is ‘broken’ in the same moment
  • It’s a style of failure we’re just not experienced in dealing with
  • Best way to patching legacy kit is simply throw it away and rebuild
  • Replace a phone battery yearly, replace a fridge every decade
  • The world will be swamped with non patched devices soon
  • We are moving further away from “thing to person auth” and even more to “thing to thing” auth, we don’t know how to do this on the scale needed
  • Imagine a city of 1,000,00 cars needing “thing to thing” auth to inform and talk to each other
  • Cyber skills gap, so we need to automate more
  • How do you build something secure, on top of unsecure parts?

The talk summarised with the need for regulation from the govt.

  • Regulation is the only answer. You trust a restaurant won’t poison you, and that the building you’re under wont collapse on you as it’s regulated. Regulation isn’t perfect but it works all around us quite well.
  • Regulate in one place, and every territory should benefit. i.e. companies don’t want 2 code bases, it’s simpler and cheaper to to work it out for the area with the highest standards then use this in other locations

Some food for thought?

Andy