Theater Hall - E.T.I. (HiP main stage)

IT Security: a game of counting the negatives, but can we do better?

HIP - Track 1 - Room 5
Mate Soos
In IT security we have been preoccupied with failures, with things that go wrong, and so we count the negatives -- the times when we failed. How about we seriously started counting the positives? More importantly, what if by adding more and more constraints to avoid the holes we have found, we are also removing the positive capacities in the system, thereby hurting our chance of success more than we hurt our chance of failure? In this talk, I will try to highlight how IT security could be done differently, by trying to focus on what goes right, rather than only focusing on what goes wrong, learning from our successes, and reinforcing them, so when next time the storm comes, we will have enough positive slack in the system to withstand the attack.
IT security, just like safety, has been focusing on the negatives, trying to learn from the times when things failed. Hence, we have become experts at counting the negatives, at finding all the holes. Because we rightfully fear failure, we have put more and more constraints on our systems through policies and guidelines and ways of working that constrain how they can be built and operated to avoid all the holes we have found. However, we tend to forget that the vast majority of the times, things go well. In fact, often they go well despite all the constraints we have put on the systems. Are we missing important learning opportunities by ignoring how things go well? In this talk, I will try to demonstrate how we could bring what safety literature calls "Safety II" or "Safety Differently" into the practice of IT security.

Additional information

Live Stream https://streaming.media.ccc.de/jev22/hip1
Type Talk/panel 45 min + 10 min Q&A (55 Minuten)
Language English

More sessions

12/27/22
Theater Hall - E.T.I. (HiP main stage)
HIP - Track 1 - Room 5
Welcome to Hacking in Parallel. Lets fire this up.
12/27/22
Theater Hall - E.T.I. (HiP main stage)
pandzillophon
HIP - Track 1 - Room 5
We'll look at the role IT and software play in modern manufacturing, with a twist on the semiconductor industry. Since I'm a security guy, we'll mostly focus on the sorry state of that.
12/27/22
Theater Hall - E.T.I. (HiP main stage)
HIP - Track 1 - Room 5
Das US-Militär hat massenhaft Geräte zur biometrischen Erfassung von Menschen in Afghanistan genutzt. Einige Geräte wurden beim hastigen Abzug der NATO-Truppen zurückgelassen. Wir haben bei Analysen solcher Geräte große Mengen an biometrischen und weiteren personenbezogenen Daten gefunden. In den falschen Händen bedeuten diese Daten Lebensgefahr für Menschen in Afghanistan und Irak.
12/27/22
Theater Hall - E.T.I. (HiP main stage)
Ilja van Sprundel
HIP - Track 1 - Room 5
The C programming language first appeared in 1972 and became enormously popular. It has this magical combination of features that allows developers to quickly write portable code that can be reused and easily ported to different architectures. It has been the foundation of most operating systems and systems programming in the past 50 years.
12/27/22
Theater Hall - E.T.I. (HiP main stage)
Matthias Monroy
HIP - Track 1 - Room 5
The "Enhanced Border Security Partnership" poses an unprecedented threat to civil liberties in Europe.
12/27/22
Theater Hall - E.T.I. (HiP main stage)
Thomas Fricke
HIP - Track 1 - Room 5
We summarize howto secure Kubernetes clusters in critical infrastructure and give insights from the machine rooms.
12/27/22
Theater Hall - E.T.I. (HiP main stage)
mc.fly
HIP - Track 1 - Room 5
I wil talk why perimeter security is no longer a useful security principle, what could replace it and how to migrate