Defining Cybersecurity with Gene Spafford - Computerphile
Vložit
- čas přidán 14. 11. 2023
- Legendary cyber-security expert Professor Gene Spafford joins us to try to define what cyber-security even is! "Spaf" as he's known, is a faculty member at Purdue University and now Honorary Professor at the University of Nottingham.
Dr Spafford is a Fellow of the American Academy of Arts and Sciences, the Association for the Advancement of Science, the ACM, the IEEE, and the (ISC)2; a Distinguished Fellow of the ISSA; and a member of the Cyber Security Hall of Fame, the only person to ever hold all these distinctions.
The book "Cybersecurity, Myths and Misconceptions" can be found here: bit.ly/C_CyberMythsBook
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharanblog.com
Thank you to Jane Street for their support of this channel. Learn more: www.janestreet.com
"We could teach someone else everything from the bare circuitry, up to the human-computer interface and how it all worked and how it all fit together. I would contend that there's no person alive who can do that anymore because the systems have gotten so complex."
You said it man. We're boned.
I think that threshold was crossed around late 80s when I was taught the whole stack from electronics to firmware to OS to applications. Around that time the complexity of systems started to increase beyond what a single person could comprehend.
Interestingly, the same thing happened to medicine in the early 20th century. There is no doctor alive today who knows every aspect of medicine, instead we have generalists who have bredth but not depth and we have specialists with depth but not bredth.
This is already happening in tech as well. There are fewer and fewer "full-stack" engineers. Instead we have specialists for specific parts of the stack or even specific pieces of hardware, frameworks, and libraries.
Yep. Except the boned bit. Web 3 is going to enable a completely new level of security. The world will run on blockchains, mostly private ones.
It will take a few years yet before people are capable of seeing this, but it is obvious to those of us who saw web1 and the horrifying oversights in TCP/IP design, Windows security, and so on. The malware scene was a slowly then suddenly explosion, and then the obvious happened. Online crime gangs, a massive carding scene selling batches of stolen CC numbers.. and this was was on the OPEN internet in the early 2000s ! it has only been 1 paradigm (20 years) which is the minimum for realisation of large problems to become widespread and we start to adapt.
The real problem is phishing, social engineering attacks because attackers leverage the human emotional response or complacency.. or they play the long game and gain trust over time. Digital provenance is the blockchain superpower, and a big key to AI issues, knowing where the data came from solves so much. But it's a long build process, almost 20 years now so.. whatever your opinion is you will see soon enough.
Are we though? We probably know less about medicine and the human body than we do about IT and yet we seem to muddle through.
The same thing is true of just about anything. Nobody knows how to go from drilling oil, to refining plastic, to filling it up with ink and selling it as a biro. Yet biros get made, and we write with them, and it all works out fine. It just means that we have to think in terms of collective systems rather than individuals - but that's what civilization has fundamentally been about for some 6000 years now.
General public: No one understands how AI systems work!
People who work in cybersecurity: I got bad news for you about non-AI systems, too.
Brilliant talk by Prof. Spafford. Thank you to Sean, the esteemed Professor and anyone else who helped in making this happen.
You mention that being completely secure is impossible so therefore it can't be the definition, but i feel having an impossible (ideological) target as your definition should be acceptable. Referring to the cyber security of a system isn't a yes or no question - it's a scale of how secure it is, so even though 100% is unobtainable, that doesn't prevent us from having a scale.
Spaff would totally agree with you there. He's just saying that we can and should aspire to do even better.
Crazy logging into youtube and seeing one of my former Purdue professors here... Spaf is a genius, and is the one who started me on my interest in the topic of ethics around AI.
Meteor collision event warning, IT staff: "We've been preparing for this all our lives."
Regarding the definition or design of safe state and operations in a program: Over the years there have been a lot of research into formal specifications, mathematical-like proofs of program correctness etc., but it seems that when the program gets "big enough" the main problem becomes how to define the desired behavior because the requirements are more abstract and not easily defined formally.
I still fine formal methods and program proofs very useful in smaller, low-level components, because if I can expect them to work as specified I can use my brain power to consider the higher-level complexities.
Maybe the solution is to stop making programs so big.
@@MrBluelightzero That seems like saying we should stop people dying in car crashes by limiting their top speed to 5km/h. Sure, it would work. But it's rather missing the point, and comes at an enormous cost.
This is great! I'd love to see more videos like this that address the fundamentals of cybersecurity/InfoSec. Please bring Mr Spafford back for more! Also consider interviewing the authors of the textbooks he referenced.
YOOOO!!! i recognize spaf, he gave an ethics lecture at Purdue for cs grad students that i attended like a year ago :> he seemed really nice and it's so cool to see him on this channel!
Such a succinct explanation of the myriad of issues, thanks for sharing!
This is such a great video. Thanks for sharing. This should be mandatory viewing for any executive involved in funding cybersecurity within their organization.
simplicity and correctness. We are finished the exploratory time. We understand the problems well enough, now it is time to create the simplest, most pure and correct solution. I am working on this currently
Complexity as a whole will tend towards infinity. Complexity in information systems, as a whole, is analogous to entropy in thermodynamics. Deploying more information systems lead to greater complexity. The best that we can hope for is to reduce the rate of increase.
We live in an anti-security world. Browsers run executable JavaScript with asking permission, websites frequently rely on said JavaScript, every little object or service has an app, games and apps almost always expect network access, and so on. Security is hard to do technically and inconvenient to practice.
Spaf! I'm so happy to see him on your channel!
Excellent video, thanks too you both. 🥰😃
Interesting approach to the topic, thank you for the presentation and the book recommendations.
To my opinion what is not covered is what is _cyber_ risk, what constitutes as _cyber_? Imagine a situation: a criminal wants to steal, say, a diamond in a room behind some door with an electronic/computer combination lock. There are, for example the following options: a) just smash the door b) use social engineering to get access to mail of a person and use it to find the number combination c) hack the lock d) brute-force this lock. Which of these would be a breach of a "cyber security"?
Also, risk is seen as something to be avoided rather than managed, not a particularly useful approach.
GREAT VIDEO !
more of Gene, please :)
Are any of the books by Bruce Schneier relevant to the field of cyber security?
MORE VIDEOS LIKE THIS !
Just to check, is the y-axis at 12:00 labelled upside-down? Surely the *less* you spend, the more risk you take? 🤔
I interpreted that as the risk that is covered by your security measures, so more money means more coverage.
Yes, I mislabeled the axis.. It should be "Reduction in risk"
Great discussion.
Though it’s hard to believe that large companies are still being hacked - often by simplest means such as SQL injection or access spoofing.
Is this mainly a matter of sunk costs and not allocating sufficient resources to fixing even the most basic, well-known holes?
So how far back is first principles? Creating a new processor instruction set, and then inventing a chip that runs it?
Given all the recent speculative execution vulnerabilities...
That depends on what your definition of "secure" is going to be. The classic Ken Thompson paper, "Reflections on Trust" comes to mind....
That the number of programmers doubles every five years is significant concern. Junior programmers are prone to make security mistakes until they've encountered them personally. Building secure systems comes with experience. And keeping up-to-date on threats is a problem for those of us who have been in the field for decades.
If you need experience to do a competent job (rather than doing it more efficiently), then it feels like a failure in education/training more than anything else.
It should be noted that defining cybersecurity cannot be the same as defining fields of discovery such as math and science. Cyber Security is a human creation that is ever evolving.
This man helped to build the internet
So code scanning tools won't save us.
And fixing exploits as they get discovered won't save us as the fixes might make new exploits. So software architects that makes good specifications plus a good development strategy with test driven development is the answer?
not while there’s bipolar people roaming the earth looking for a juicy troll sesh
What are code scanning tools scanning for? They can't be scanning for the unknown.
After years of accepting identified risks, corporations have a huge accumulated IT security debts that are never revisited until systems are replaced (and not even then). This is a measurable metric and yet does not result in better security.
One would hope that Spectre / Meltdown and its relatives would have woken up the industry. The fact that essentially the same security hole exists in completely different CPUs with completely different architectures from completely different manufacturers *must* be a wake-up call! This could only happen because there has been a complete failure across the entire industry to try and understand the ramifications the ever more complex interactions caused by piling ever more complex optimizations on top of ever more complex features. Security needs to be implemented from day 0 as an overarching goal.
Computational irreducibility says good luck specifying all states
Where is the chained printer paper?
In England at the moment! (The prof did this remotely from Indiana!) -Sean
I never understood the trope of documentaries to cut in the interviewer nodding... why do you do that?
Because old school lol -Sean
One of the biggest misconceptions about cyber security is that you can go to school to learn how to do it, then once you graduate your done learning... Cyber security is a forever changing and rapid changing landscape. Pretty much everything you've learned in cyber security school will be useless in 5 to 10 years or less. You MUST forever be learning the new threat landscapes and attack vectors while your working in the industry, not just while your taking classes in school. Pretty much the only attack vector that is guaranteed not to change is social engineering.
Wrt secure systems, there are nuclear bimb proof data centres. I guess you have to put a limit and come up with some risk/cost analysis.
Exactly. Security is not an absolute. It is always relative to a set of threats and a budget for mitigations.
Please do a video about sim-swap scam methods
So, you're saying that my free version of AVG is not gona save me from covid od aliens with covid? Damn!
The defnition of "security" is an issue in US politics, too, where many say, "border security," to describe preventing people from crossing without legal authorization, while others use the term to mean that people who cross the border are not in danger of being harmed while doing so.
Similarly, some use, "election security," to describe an election system that prevents ineligible votes from being cast, while others seem to use it to describe a system that prevents those who are not authorized to tally votes from independently validating the election results.
Cyber security maps to medicine if the more we knew about medicine, the less old and more sick we got. If anybody thinks this will ever get better, I have got some bridges to sell to you.
I absolutely hate that the word "cyber-" has become prominent as a prefix for this field.
Back when I had my education in computer security, we did not use it. We used "cybernetics" to denote control systems, staying away from how it was misused in sci-fi novels.
I blame old men in government who thought "cyber" sounded cool back in the 80s. I didn't hear anyone talk about "the cyber" except for them until they forced it on the rest of industry.
You're telling me you haven't cyberjacked in to the infodome to leach out some data cyphers? Do you even remodulate the mainframe in the virtualsphere's technobrain??
Something, something, $5 wrench.
Great point about software people use all the time.
If Microsoft software suddenly destroys all your data, too bad. LLC, maximum $5 liability..
I disagree with the professor's use of "sunk cost" over and over. Not wanting to move to a different system even if it is more secure is not necessarily a problem of a "sunk cost", it can be perfectly rational. As the professor noted earlier when talking about unclear definitions of security, security can be an economics issue.
Imagine you're a company that already has a system built on an insecure platform that you're already making money from, and you're evaluating if you should switch to a different system for better security:
Why move to a new, unproven system that is supposedly secure, but will require brand new and expensive development to adopt, when a company already has access to a "good enough" system with an established ecosystem and experienced developers for free? Even though it has issues that will need extra development to fix up / patch up, those are fixes / patches that can be applied to a system now, allowing the company to continue to have a revenue source from customers instead of going dark to spend years of development to switch to the new thing while their competitors steal all of its customers.
There are second and third order effects, too, if we knew how to measure them. You are correct that first order profit/loss might argue against switching. However, technological debt increases, and new investments to support buggy products may not be the best long-term use of funds. There are also potential social costs (loss of customer/employee personal information), repetitional costs (Company X is known to rely on faulty products), and perhaps legal costs (recent gov. regulations on disclosure and minimum safety). The point is, without a better understanding of risk and metrics, a proper investment plan is not likely to be developed.
I hope that one day computer science students realise that computer science won't give them a good job but Cybersecurity and IT does.
Wasn't that long ago when few people gave a flying duck about IT security, very career limiting. Now its all the rage and pretty lucrative if you're any good at it.
There's definitely a lot of confusion between computer science and software engineering, with many people thinking they're the same. They are not. The former is a branch of mathematics, the latter a technical, applied skill. The difference is the same as between a physicist and a structural engineer. Of course, the structural engineer needs to know some physics, but that doesn't mean that their knowledge, their skill set, or their jobs are the same.
yes
It's all about the data. It's confidentiality, integrity and availability of data that defines the field. The wires and tin deliver some of the controls. That's security 101 but didn't even get a mention.
Until it is operational technology and critical control systems. Then it is less about data and more about the availability of the cyber-physical environment.
Data security is a subset of cybersecurity. Those terms are also incomplete, vague. and not adequately measurable. This is discussed in depth in chapter 1 of the book.
first
🗿
The greensreen is not doing this gentleman any favors
that's not even a greenscreen, that's just MS-Teams auto background removal.
Zoom in this case but yeah
Sixth
hi mom
Darling, you should be in bed! 🙄😚
Hey hun'
First
Using psychology as a field that is rigorous and has standards without myths and misconceptions is very funny, probably the worst example of a field that does not have those.
Could you please elaborate, I'd like your view on it.
As a programmer, this has a lot of overlap with something that I can only describe as the "dependency and versioning" umbrella problem. It's feels absurd when realize how much of our modern world is held together by legacy of chewing gum and string. With the countless permutations present in our systems and environments, it's a miracle things work as well as they do. I wonder if the problems it causes will ever grow to out-weigh the sunk cost enough.
First
first