Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 277 for Thursday February 9th, 2012
- John Strand will be teaching "Offensive Countermeasures: Defensive Techniques That Actually Work" and Carlos Perez will be teaching "Using and Automating the Metasploit Framework" on March 13-14 at the Mid-Atlantic CCDC just outside Baltimore, MD! Register Today at The PaulDotCom Training Web Site
- John Strand will be teaching Offensive Countermeasures at SANS Orlando March 23-24th: Check it out here
- Larry is teaching SEC617: Wireless Ethical Hacking, Penetration Testing and Defenses 5 times this year: vLive!: April 16 - 22, 2012, SANS Cyber Guardian 2012, Baltimore: April 30 - 06, 2012, SANS Toronto 2012, Toronto: May 14 - 20, 2012, Community SANS Ottawa, Ottawa: June 11 - 17, 2012, SANS Sydney 2012, Sydney, AU: November 12 - 18, 2012
- Check out our new shows: Hack Naked TV with John Strand, Hack Naked At Night with Larry and Darren, PaulDotCom Espanol with Carlos Perez.
- Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. Wether you smoke an occasional cigar or daily, this show is for you! Tune in as we review the latest cigars being released and talk "Stogie Tech".
- Don't forget to Follow us on Twitter
Interview: Adam Shostack
Adam is a principal program manager on the Usable Security team in Trustworthy Computing, which performs ongoing research into classifying and quantifying how Windows machines get compromised. Before joining Microsoft, Adam helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the book, The New School of Information Security.
- Can you briefly describe the idea of the New School?
- The New School of Information Security has been out for almost four years, what are the most encouraging changes you have seen in that time? And the least encouraging?
- The title of chapter five is an Alan Schiffman quote, "Amateurs study cryptography, professionals study economics", a great quote, but I assume some people took exception to that.
- The book challenges some sacred cattle, such as user education. Do you still struggle to make people understand the importance of understanding the human element of Information Security?
- An interesting human element covered in the book was that visible security measures appear to make people less cautious. I have certainly seen people who believed the firewall and anti-virus meant that they didn't have to take any personal responsibility for their actions online. This "dealing with people" thing is tricky.
- The book also promotes what some now call the operationalization of security. While some are picking up the idea, others seem entrenched and are content with the status quo. Have you seen any successes in this area in large enterprises?
- Reports such as those from Verizon, Mandiant, Veracode, Trustwave and others are giving us more information, but the formats vary and the raw data isn't always available. How can we make the most of these reports?
- You have done some creative things to educate people about security. Can you tell us how you came up with the idea for the Elevation of Privilege card game, what it was like promoting it internally at Microsoft, and how it has been received?
- Tell us about Saltzer and Schroeder, their 8 principles, and why a paper that was written in 1974 still makes a whole lot of freaking sense to the computer security industry.
- I was going to post this as a story, but I'd like to hear your thoughts on why breach disclosure is expensive, and will this discourage companies from reporting breaches, even at the expense of fines, etc,