Jason Truppi: Illusions are the ones that can paralyze the ability of government and industry to fight online threats according to a former member of the FBI netsec group who spoke at the B-Sides security conference. The B-Sides conference was held in San Francisco.
Society is working under the illusion that governments and businesses make rational decisions about computer security, but reality is another: bad management, and a false belief in the power of technology that can save.
"The government is very reactionary," said Jason Truppi, director of security company Tanium and a former FBI investigator.
"Over time we have learned that it did not work, to be reactive, not precautionary"
Jason Truppi said that we should not think that government and industry are working together to protect themselves from various online threats. In fact, he says the trade and government are working on very different agendas and the result is a hopeless confusion.
For the exchange of information on threats, for example, the government encourages businesses to share vulnerabilities. But businesses are increasingly reluctant to share data if it exposes them to wider risks, such as a bad reputation that will make customers run by trying to protect themselves.
The fact that companies have INFOSEC teams does not seem to have such serious results. Truppi, who has now moved to the commercial sector, said companies are still trying to hire security specialists, but stick to false warnings and panic management.
A single false alert may take many days, warned, and a senior administration that does not understand such issues may lose several days when the team is dealing with a warning that does not concern a serious issue. Fraud in the stock market is such a case.
The traditional view states that hackers will try with fake pages to cheat transactions, but Truppi argued that this tactic is old. It is much easier and much more profitable to use insider trading to make money than to try with fake transactions that can be checked before payment.
All that is needed is an unsecured endpoint, the former agent said. After that the keys are theirs. Staff compliance rules do not help much, as they are about yesterday's threats.
But dealing with incidents from the IT department with so much false information about threats results in fatigue, and that means they burn in the heat…
The big picture
The biggest illusion in computer security is the belief that businesses, and the government, know what they are doing, said Jason Truppi.
Five years ago everyone thought the big financial companies knew what they were doing to lock up their bank accounts.
At least banks are better than most businesses, according to Jason Truppi. Too many companies believe that if they have a disaster recovery plan, it does not work that way.
We are only still in early stages of distributed denial of service attacks (DDoS), said Jason Truppi. We will see big internet holidays thanks to IoT botnets that will be able to download entire sections of the Internet.
"A Mirai botnet could download over the internet for long periods of time," he warned. And don't expect these fancy AI systems to secure you. "