Jason Truppi: Delusions are what can cripple government and industry's ability to fight cyber threats, says former member of teams FBI netsec who spoke to congress security B-Sides. The B-Sides convention was held in San Francisco.
Society is working under the illusion that governments and businesses make rational decisions about computer security, but reality is another: bad management, and a false belief in the power of technology that can save.
"The government is very reactionary," said Jason Truppi, director of security company Tanium and a former FBI investigator.
"Over time we have learned that it did not work, to be reactive, not precautionary"
Jason Truppi said that we should not think that government and industry are working together to protect themselves from various online threats. In fact, he says the trade and government are working on very different agendas and the result is a hopeless confusion.
For the exchange of information on threats, for example, the government encourages businesses to share vulnerabilities. But businesses are increasingly reluctant to share data if it exposes them to wider risks, such as a bad reputation that will make customers run by trying to protect themselves.
The fact that companies have INFOSEC teams does not seem to have such serious results. Truppi, who has now moved to the commercial sector, said companies are still trying to hire security specialists, but stick to false warnings and panic management.
A single fake notice μπορεί να διαρκέσει πολλές από τις μέρες του χρόνου, προειδοποίησε, και μια ανώτερη διοίκηση που δεν κατανοεί τέτοια τα themehe may miss several days when the team deals with a non-serious alert. Stock market scams are one such case.
The traditional view is that hackers will try fake pages to trick transactions, but Truppi argued that this tactic is outdated. It is much easier, and much more profitable, to use insider trading to extract money than to attempt fake transactions that can be verified before payment.
All that is needed is an unsecured endpoint, the former agent said. After that the keys are theirs. Staff compliance rules do not help much, as they are about yesterday's threats.
But dealing with incidents from the IT department with so much false information about threats results in fatigue, and that means they burn in the heat…
The big picture
The biggest illusion in computer security is the belief that businesses, and the government, know what they are doing, said Jason Truppi.
Five years ago everyone thought the big financial companies knew what they were doing to lock up their bank accounts.
At least banks are better than most businesses, according to Jason Truppi. Too many companies believe that if they have a disaster recovery plan, it does not work that way.
We are only still in early stages of distributed denial of service attacks (DDoS), said Jason Truppi. We will see big internet holidays thanks to IoT botnets that will be able to download entire sections of the Internet.
"A Mirai botnet could download over the internet for long periods of time," he warned. And don't expect these fancy AI systems to secure you. "