All systems fail; there is no system without flaw. Each connection and dependency exposes the flaws to potential accidents and adversaries, resulting in system failure. Unknown flaws represent potential risks to public safety and human lives. Security research explores new systems reveal these flaws. But research alone does not deliver safer systems.
Recent stunt hacks have left us with a hangover. As the media hype dies down, the publicity bubble is replaced by a vacuum that calls for action. In the absence of a clear, technically literate direction, this vacuum is exposed to opportunists with an agenda, push a product, or perpetuate the situation. That is not the result this research deserves.
This presentation will pick up where most security research leaves off, and sketch a roadmap to resolution. We consider the road forward to be our group of volunteers, "I am the Cavalry", working together to promote and encourage not repeating the same mistakes that we've been making in enterprise security the last 30 odd years. I am the Cavalry is about collaboration between researchers, thinkers, lawyers, lawmakers and vendors/producers of connected devices to make devices worthy of our trust
Bio:
Claus Cramon Houmann
I am the Cavalry member
Former Head of IT at a small Bank in Luxembourg
Community Manager at Peerlyst
Independent Consultant in IT / Information Security
Addicted to Infosec
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
Thecavalryisus owasp eee-oct2015_v2
1. I AM THE CAVALRY
http://iamthecavalry.org
@iamthecavalry
SHOULDN’T YOU BE ALSO?
2. CLAUS CRAMON HOUMANN
Infosec Community Manager @ Peerlyst
(A start-up Infosec community/Social platform that wants to turn the
tables on cyber security)
Infosec Consultant
The Analogies contributor
Twitter: @claushoumann
7. WHERE DO WE SEE CONNECTIVITY NOW?
In Our Bodies In Our Homes
In Our InfrastructureIn Our Cars
8. HEARTBLEED + (UNPATCHABLE) INTERNET OF
THINGS == ___ ?
In Our Bodies In Our Homes
In Our InfrastructureIn Our Cars
9. SAY BABY MONITORS AGAIN?
In Our Homes
Source: Rapid7 research/Mark Stanislav: Baby monitors
https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-
24. NEVER DOUBT THAT A SMALL GROUP
OF THOUGHTFUL, COMMITTED
CITIZENS CAN CHANGE THE WORLD;
IT’S THE ONLY THING
THAT EVER HAS.
- MAR GAR ET MEAD
( A N A M E R I C A N C U LT U R A L A N T H R O P O L O G I S T )
25. •The
The Cavalry isn’t coming… It falls to us
Problem Statement
Our society is adopting connected
technology faster than we are able to
secure it.
Mission Statement
To ensure connected technologies with
the potential to impact public safety
and human life are worthy of our trust.
Collecting existing research, researchers, and resources
Connecting researchers with each other, industry, media, policy, and legal
Collaborating across a broad range of backgrounds, interests, and skillsets
Catalyzing positive action sooner than it would have happened on its own
Why Trust, public safety, human life
How Education, outreach, research
Who Infosec research community
Who Global, grass roots initiative
WhatLong-term vision for cyber safety
Medical Automotive
Connected
Home
Public
Infrastructure
I Am The Cavalry
26. Connections and Ongoing Collaborations
5-Star Framework
5-Star Capabilities
Safety by Design – Anticipate failure and plan mitigation
Third-Party Collaboration – Engage willing allies
Evidence Capture – Observe and learn from failure
Security Updates – Respond quickly to issues discovered
Segmentation & Isolation – Prevent cascading failure
Addressing Automotive Cyber Systems
Automotive
Engineers
Security
Researchers
Policy
Makers
Insurance
Analysts
Accident
Investigators
Standards
Organizations
https://www.iamthecavalry.org/auto/5star/
27. www.iamthecavalry.org
@iamthecavalry
5-Star Cyber Safety
Formal Capacities
1. Safety By Design
2. Third Party Collaboration
3. Evidence Capture
4. Security Updates
5. Segmentation and Isolation
Plain Speak
1. Avoid Failure
2. Engage Allies To Avoid
Failure
3. Learn From Failure
4. Respond to Failure
5. Isolate Failure
30. AND MORE IN OTHER AREAS
COMING
We try to connect researchers to
1. Lawmakers to inform of meaningful changes to laws to enforce
secure by default
2. Vendors/producers to inform of secure ways to build securely by
design and of identified vulnerabilities
3. Purchasers of devices (example: Pacemakers, car distributors) to
explain to them why they need to contractually demand security – if
there is demand vendors will supply
31. AND YES I DID SAY LAWMAKERS
It is WEIRD for you to have to listen to. I
agree, but