Sunday, November 23, 2014

Security and Behavioral Economics - BSides Toronto 2014

Yesterday I spoke at BSides Toronto about security and behavioral economics. I was uncertain about how it would be received and I'm very happy to see that the audience enjoyed it and a few people came after it to ask questions and talk about it. I'm working on an expanded version (yesterday was only 25 minutes) that I hope to present in a bigger conference next year.

My slides and notes can be downloaded here. I'll also post the video as soon as it's posted by BSidesTO.

Monday, November 3, 2014

Survival bias

The cognitive bias of the day is the survival bias:
Survivorship bias, or survival bias, is the logical error of concentrating on the people or things that "survived" some process and inadvertently overlooking those that did not because of their lack of visibility. This can lead to false conclusions in several different ways. The survivors may be actual people, as in a medical study, or could be companies or research subjects or applicants for a job, or anything that must make it past some selection process to be considered further.

It's fairly common (and actually quite wise to do) to use data sources like the Verizon DBIR to understand what are the most prevalent attacks and techniques being used on recent breaches. As I previously said on my last post on the availability bias, we should refer to data resources like that to avoid trying to fix what's in our minds instead of what is actually being exploited by the attackers. However, there's a catch.

If we look at the most recent attack patterns, we will notice that some of the most common vectors of the past have slipped to the middle or the bottom of the list. What does that mean? Does it mean that I should change my focus from SQL Injection and move it to RAM scrappers now?

This is the effect of the survival bias; the exploited vulnerabilities of the past are being fixed, so the attackers are now looking for the next low hanging fruit. That doesn't mean that those vulnerabilities commonly exploited in the past are not an issue anymore, it's just that so many organizations fixed those that they are just not making their way into the list of biggest issues. The list of current most exploited vulnerabilities is made of existing (survivors) vulnerabilities; those that had been fixed won't make the list not because they are not exploitable anymore, but because they are not as prevalent as they used to be. But if they are present in your environment, they will be exploited. Be careful with those lists; the hot stuff from the past will be fixed by everyone and eventually fall to the bottom, but they are still valid targets when left open behind.