The Cavalry Is Us

Protecting The Public Good

THE CAVALRY IS US

PROTECTING THE PUBLIC GOOD

Nicholas J. Percoco Joshua Corman @c7five @joshcorman

NICHOLAS J. PERCOCO

Director, Information Protection

KPMG LLP

Advanced Threat Defense, Security Research

THOTCON founder, Ran SpiderLabs

JOSHUA CORMAN

Director, Security Intelligence

Akamai Father, Husband, Citizen

Adversaries, DevOps, Internet of Things

Rugged Software, “Building a Better Anonymous”

AGENDA

Why are we here?

Where have we been?

Where are we going?

How can you get involved?

WHY ARE WE HERE?

Chapter 1

THE BEAUTY OF ROCK BOTTOM

NICK’S DREAMS

JOSH’S SHARKS

CC : From: http://www.flickr.com/photos/maiabee/2760312781/

WE GAVE A TALK

IMPORTANT THINGS

Body

Mind

Soul

HUMAN LIFE VS. DIGITAL LIFE

http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum

/

Countermeasure

s

Situational Awareness

Operational Excellence

Defensible Infrastructure

Life RightsCritInf

r IP PII CCN

Counter-measures

SituationalAwareness

OperationalExcellence

DefensibleInfrastructure

REPLACEABILITY

WHICH BROWSER IS MOST SECURE?

WHICH MOBILE IS MOST SECURE?

WHICH CAR IS MOST SECURE?

WHICH INSULIN PUMP IS MOST SECURE?

WHICH THING IS MOST SECURE?

SO MEON E WIL L CO ME TO THE R ESCUE BEFOR E IT ’S TO O L ATE

THE CAVALRY ISN’T COMING

IT’S UP TO US

CONVERGING UPON…

Focusing on security that affects personal lives

Getting outside the echo chamber

Teaming w/ stake holders in the public

Technically literate ambassadors of our trade

Making the issues accessible

Getting results!

WHERE HAVE WE BEEN?

Chapter 2

TIMELINE

8/13BSidesLVDEF CON

21

9/13DerbyConCongress

10/13LASCON

11/13TEDx

AppSecUSA

12/13BlueHat

1/14ShmooCon

?

TIMELINE

8/13BSidesLVDEF CON

21

9/13DerbyConCongress

10/13LASCON

11/13TEDx

AppSecUSA

12/13BlueHat

1/14ShmooCon

?

JOURNEY(S)

Hobby->Profession->Lives (2)

Personal Rock Bottom->Find Others (<10)

Building the Guild->Shared Concerns/Identity (100)

Discovery->Missions/Goals/Plans (300)

Execution->Teaming with Concern Citizens (1000s)

DERBYCON 2013: FIRST MEETING

Sept 28 + 29

100+ hackers

Enough flipcharts

…and deodorant

Thanks, Dave Kennedy!

DERBYCON 2013: FACILITATORS/SMES

Andrea Matwyshyn (Legal)*

Adam Brand (Structure)

Beau Woods (Approach)

Chort0 (Guild)

Craig Smith (Auto)

Emily Pience

Jay Radcliffe (Medical)

Josh Corman

Katie Moussouris (k8em0)

Space Rogue (Media)

* Guest Speaker

DERBYCON 2013: AGENDA

What conditions exist that we don’t like?

What are the causes of the conditions?

What should be done to eliminate the causes?

DERBYCON 2013: AREAS

Medical

Auto

Law

Media

DERBYCON 2013: OUTCOMES

Knowledge sharing about what is going on

Tons of new ideas on how to solve problems

More agreement than differences

LINKS TO VIDEOS/PODCASTS

BSIDES LV 2013 - http://bit.ly/16YbpC1

DEF CON 21 -

DERBYCON 2013 - http://bit.ly/1fYUCVI

LASCON 2013 -

LOOPCAST Ep 88- http://bit.ly/1a41cpk

SOUTHERN FRIED SECURITY Ep 115 - http://bit.ly/1amYdbC

PAULDOTCOM Ep 352 - http://bit.ly/1fzaqgP

TEDx Sharks/Security/IoT - http://bit.ly/1bBB6JR

WHERE ARE WE GOING?

Chapter 3

ORGANIZE, FOR ACTION

American Bar Association

American Medical Association

What do we have to be?

COULD WE, SHOULD WE

Do good through targeted research

Get the right message out (media teaming)

Change or prevent bad cyber security laws

Education and Awareness

THIS WILL NEVER WORK

We are techies• Not safety people, not PR people, not

lawyers

Screw them• We told them, but they wouldn’t listen

The problems are too large• The war was lost a long time ago

FINDING COMMON GROUND?

WHAT?

WHEN?

HOW?

Chances of Success/Failure

STILL TO WORK ON

1.Identity• Mission – What we exist to do (started at

Derby)• Values – What we believe• Nature – What form we will take/what our core

work is

2.Vision• What we want to achieve and by when• What we intend to look like in X years

3.Plan• What we need to do and by when

HOW DO YOU GET INVOLVED?

Chapter 4

UPCOMING EVENTS

December: Microsoft BlueHat

January: ShmooCon / OWASP AppSec CA

March: RSA Conference 2014 (?)

April: THOTCON 0x5 / SOURCE Boston (?)

Also, many BSides globally

August: Adjacent to Black Hat / DEF CON

WE NEED YOU

Experience with medical device, auto industries

Media wrangling expertise

Lobbying/Policy experience

Organizational/Visual skills

… or just passion to help

HOW TO GET INVOLVED - OWASP

Breakers

Builders

Citizens

Parents/Guardians

Community Leaders/Bloggers/Podcasters/etc

IDEAS, COMMENTS, HELP

@iamthecavalry

Google Group:• http://bit.ly/thecavalry

NEVER DOUBT THAT A SMALL GROUP OF THOUGHTFUL,

COMMITTED CITIZENS CAN CHANGE THE WORLD; IT’S THE

ONLY THING THAT EVER HAS.

- MARGARET MEAD( A N A M E R I C A N C U LT U R A L A N T H R O P O L O G I S T )

SECURITY OF CONSEQUENCE

Fin