Jason Truppi: Delusions are what can cripple government and industry's ability to fight cyber threats according to a former member of the FBI's netsec team who spoke at the B-Sides security conference. The B-Sides conference was held in San Francisco.
Society operates under the illusion that governments and businesses make rational decisions about computer security, but the reality is otherwise: mismanagement, and a false belief in the power of technologys that can save.
"The government is very reactive," said Jason Truppi, director of the security firm Tanium and former FBI investigator.
"Over time we have learned that it did not work, to be reactive, not precautionary"
Jason Truppi said we should not assume that government and industry are working together to protect against various online threats. In fact, it states that the commercials sector and government are working on very different agendas and the result is a hopeless confusion.
To share information about threats for example, the government encourages businesses to share vulnerabilities. But businesses are increasingly reluctant to share data if it exposes them to wider risks, such as a bad reputation that will send customers running for cover.
The fact that companies have INFOSEC teams does not seem to have such serious results. Truppi, who has now moved to the commercial sector, said companies are still trying to hire security specialists, but stick to false warnings and panic management.
A single false alert may take many days, warned, and a senior administration that does not understand such issues may lose several days when the team is dealing with a warning that does not concern a serious issue. Fraud in the stock market is such a case.
The traditional view states that hackers will try with fake pages to cheat transactions, but Truppi argued that this tactic is old. It is much easier and much more profitable to use insider trading to make money than to try with fake transactions that can be checked before payment.
All that is needed is an unsecured endpoint, the former agent said. After that the keys are theirs. Staff compliance rules do not help much, as they are about yesterday's threats.
But dealing with incidents from the IT department with so much false information about threats results in fatigue, and that means they burn in the heat…
The big picture
The biggest illusion in computer security is the belief that businesses, and the government, know what they are doing, said Jason Truppi.
Five years ago everyone thought the big financial companies knew what they were doing to lock up their bank accounts.
At least banks are better than most businesses, according to Jason Truppi. Too many companies believe that if they have a disaster recovery plan, it does not work that way.
We are only still in early stages of distributed denial of service attacks (DDoS), said Jason Truppi. We will see big internet holidays thanks to IoT botnets that will be able to download entire sections of the Internet.
"A Mirai botnet could download over the internet for long periods of time," he warned. And don't expect these fancy AI systems to secure you. "
