The Seven Sins. And Virtues. Of IT Security And How They Affect Our World - Mario Heiderich

and I would like to kick off this conference with my keyote that is called the seven sins and we're going to talk about those seven sins of course and how they map to it security what we can learn from that and how they actually affect our daily life my name is Mario and uh you might know me as the Director and founder of cure 53 um back in the day I was a researcher uh mostly admin work today uh I still maintain D purify as a JavaScript library to prevent cross scripting and you can reach out to me if you feel like it using those means shown downstairs with no further Ado I would like to kick this off with a small disclaimer um we're talking a little bit about like religious themes and those might be offensive to one or the other person here and would like to just like clearly indicate that I mean no offense and if I indeed say something that is offending you then please let me know so I can do better the next time with that out of the way we would like to direct get started with the structure of this keynote sermon number one let's talk about the seven sins what are they what do we need to know about them and how do they map to it security sermon number two let's talk about the Seven Virtues like the counterpart thereof and last but not least the third sermon which is the pathway to heaven where we can improve ourselves to actually arrive at the point of no longer being prone to falling for those sins and opting more for those virtues let's talk about the seven sins and let's talk a little bit about his and think about where they actually came from who came up with those things well the origins are ancient as with many things these days and it can be attributed to the Roman writers back then in the day including Horus who extoled a list of Virtues and to make sure that we have a matching counterpart they also listed the opposite thereof The Vices and they also preached the idea of getting rid of those vices and living towards those virtues to reach and achieve the state state of wisdom and then in Christianity the concept was picked up and slowly manifested into what we know about this today and it was in the early 4th Century written in a monastery by a monk called evagrius Pontius who was the one who first time documented the virtues and the vices in a sort of bullet list and back then he was a little bit more generous because he picked eight but today we only have seven left but hey that's not that bad that is him actually back then in the day in the 4th century writing down that kind of stuff and uh here we have the origins The Very origins of the seven sins if you count properly you will see that these are indeed eight so one was removed we're going to talk about which one that was very soon so we have Gula Glon we have Lu lust and fornication we have aaria avaris and greed we have tristia when you're feeling depressed we have Ira the rra AIA the sloth the vangala the vain glory and last but not least superbia the pride and the ubras and those were eventually boiled down to the seven sins and that happened in the sixth Century mostly under the guidance of Pope Gregory the first he and his team revised that list and they came up with the seven candidates that made it in the end that were lust and gluttony and greed and sloth and rough and envy and last but not least pride and then of course that hit the mainstream through dantey who in his Divine Comedy up on those and made them accessible to a larger audience and you can kind of think about them like the obas top 10 in the way so um let's talk about them right away and see what we have we have for example lust and we probably all know what lust means in the original sense but we might be wondering what does it actually mean in the sense of it security what does it mean for our world last or the uncontrollable desire well as n already hinted in her first slide this often manifests as the desire to exess Control Data and at the end of the day of course power which could mean that we have the lust to exploit systems and get access to data that we shouldn't have to or that we as seemingly benign players gather too much data from our users in the first place or that we just overzealously adopt new technologies without thinking about them without doing risk assessments or Security reviews and uh well you might remember this one case where they put the AI on mdn for Moa developer Network and bad stuff happened so uh well and it could also be in just like if we talk about engaging an overly long discussions for a buck Bounty where the finder insists that they should get money even if the buck is just a triviality we could also talk about gluttony the second of the seven sins on that list and wonder about well how could they actually transfer into our modern world and with gluttony and the overindulgence we can probably equ equ this simply with just like hoarding a lot of data just like getting as much data as possible in Germany we know this word d and r to my find this beautiful I'm not really sure if other languages have this um but this pretty much puts it right on spot or just as well the overc consumption of resources that can lead to inefficiencies or vulnerabilities in the end which holds for lots of Technologies but can also hold for us humans if for example there's too much pressure put on us as Engineers as managers as whatever we do and then we burnt out and we can't handle the stress anymore or last but not least not really spending the money where we should spend the money because well I could either put my money into a new security engineer or I could put the money into Mercedes and drive 280 km on the autoban well the choice is yours at the end but you can kind of guess what comes out and what is better then we have of course the topic of greed and greed is very interesting in our field because with greed we we can attribute lots of lots of things because greed eventually boils down to the idea of achieving more profit for the expense of other important things such as for example security cutting Corners here and there violating user privacy for monetary gain and so on and so on all last but not least just like not giving your employees proper training anymore and refusing to finance the training at conferences and events like this one or let's talk about the classic checkbox pen test when someone comes and says like well we have to have a pent test because you understand the needs from compliance and so on but it would be good if it just took one day and you could just run a scanner and Export the report it's good enough for us we just need that rubber stamp so again this match is quite well although this is such an ancient concept we still see it reflecting with lots of repercussions today and then of course we have sloth and sloth is also quite interesting because it might also affect all of us here in this or the other way so with sloth we might be referring to for example laziness and That's a classic because it could be just like thinking about the laziness to maintain your systems properly and to patch them and update them properly and we all know how annoying updates can be we also know that in some situations updates can in fact be dangerous but well we still have to actually apply them or else or simply not following the news missing that there was a critical buck in this or in that product let's for example talk about atasan or something like this or Microsoft products in the recent past and missing those kind of things would be tremendously bad for your it security posture both your own and the one of your company and your team then we have of course almost getting towards the end of the list we have the topic of rough and with rough it's quite interesting because that actually manifests in many ways in it and uh specifically in it security where we can see destructive behaviors the easiest example here for example for blind rough would be Deni of service or distributed Deni of service dos where people just think about revenge attacks or just like doing damage and making sure that someone is hurt without even having the possibility of profiting from it another really bad idea that could be attributed or that could be uh connected to the idea of rough is the idea of the hack back hacking back after you have been attacked is a generally terrible concept and it can't go well yet is this being preached in many areas and we should really think about if that is a fine idea or not or if you talk about the classic example of the disgruntled employee who might in case a situation arises and the job has been lost or some other tensions Arise at work simply use the powers that they have to do destructive stuff in the company itself and know well in our internal Network to which I still have access I can do so many things so let's do some bad stuff here persist ourselves and install a back door and then even closer to the end of the list we have the topic of envy apologies and the topic of Envy is interesting because that is an actually not that easy one to map envy and jealousy in a cyber security context how do we do this the best I could actually come up with in this particular situation is the Envy for other people's resources intellectual property data and potentially leading to theft or even industrial Espionage or potentially the idea again that the priorities are being shifted and that we're trying to kind of exfiltrate money from from channels where we shouldn't and thereby weaken the security posture of everything but well we could potentially also think about Envy or jealousy in the opposite direction by inverting it and assuming that well no one's going to hack me or no one's going to hack us because I'm way less interesting of a Target than anybody else so I don't have to invest into cyber security because who would steal from us we don't have that much which is usually a fallacy as well and last but not least ladies and gentlemen we're going to be talking about pride and pride is of course a very interesting topic in our field in our re and need some attention and it is one of the final ones that we're going to be covering today the overconfidence or even the ubras in it security big egos amongst Buck bounty hunters big egos amongst hackers big egos amongst managers and all those leading to a false estimation of the situation itself and thereby to again a weakening of the it security posture and one of the things that I have heard in the past from another security company that we pent tested was that well no one has ever found a critical on our application and then it turns out that this was not the case and they just like didn't really search properly and the ubis was weakening their outlook for this and was weakening their position because they already thought that they were perfect and forgot that they're not and thereby they exposed themselves even more we had another funny situation with another client a couple of years ago where we actually managed to get code execution on their server and we found a phb shell in one of their folders that didn't belong there and they were so proud of their own security systems that they actually claimed to our faces well this was us putting the shell there for debugging purposes like H all right that's how you do it interesting anyway let's now conclude on the seven sins of infosec and how they M to it security and um to our modern world and let's talk about the Seven Virtues because they're even more important because this is where we want to go eventually and with those Seven Virtues we need to think about okay how do we understand them and how do we apply them and what does this eventually give us again let's talk about the origins thereof they popped up right between the idea of the seven sins and the manifestation of the seven sins as really being seven and not just eight and they came up in the fifth century by someone who was going with the name prudentius and they were called Chastity Faith the good works the Concords the sobriety the patience and the humility and they again gained traction more broadly through a poem that was battling between the female personifications of the virtues and the seven sins and then offering like a showdown and that poem if you're interested was called pakia very interesting material and might be useful to kind of deepen the material on this particular top so here we want to quickly go through them and summarize them and then already arrive at the conclusion of this talk because hey it's just the keynote and I have not much time left so we have Chasity where we could assume that this refers in our day's world to the use of technology and data in ethical manners and in responsible manners to adhere to the principles of Le privilege maintaining appropriate boundaries regarding data access and use technically quite easy and something that we should be doing in the first place then we have the topic of temperance to use a balanced approach to technology adoption do not jump on everything that is hot and new do not blindly install new appliances in your network and make sure that there's always a decent and wellth thought balance between security and functionality because then the gaps are smaller and the risk of compromise is as well then we have the topic of Charity where we create and share secure code we contribute to libraries we contribute with patches we submit pull requests and GitHub and we contribute to the broader it security landscape and making sure that our knowledge doesn't go away with us but that it's persisted at that we actually give something back for all the things that we take we have the topic of diligence of course another virtue where we need to be staying up to date with the latest and the greatest in terms of security threats and security defenses and need to understand what we need to do tomorrow because of the things that happen today we need to regularly review our own best practices and our own systems and strategies to make sure that they can't be compromise even if something really new pops up the more you follow the trends the more you have a chance to actually be secure against very recent attacks and that's a fine thing as well and that of course Ms directly also to patients where we need to be patient with our users because our own expectations towards our own products and our own Technologies might be different than the ones that our users have our users might be seeing things differently might be perceiving things differently might have different expectations and with those they might not adhere to the same level of security back PR practices that we would do and we should not blame them for this but we should support them and make sure that we pick up all our users right where they are and still them give them a good and at the same time secure experiences with the platforms and the products that we offer and almost last but not least we have the topic of kindness which is one of the most important ones in these B times we want to treat our users with respect with understanding we want to make sure that our applications our systems are actually user friendly as user friendly as possible because only with that good security can actually be adopted if the system itself is not user friendly enough then it's very much unlikely that users will use it properly and that means that they might stride on paths that are not well stridden and that means that they again at the end weaken the security posture and last but not least ladies and gentlemen would like to talk about humility and we would like to acknowledge and that is most important here also in this context that we don't know everything and we won't ever know everything that there's always something that we don't have on the radar and that there's like always so much to learn in this ever so quickly and rapidly evolving field of it security and events like this one here might help us to actually catch up but we need to be aware that we can't know everything and that our egos should be small and should be modest and should should be humble because it's a huge field it's insanely complex and no one can understand everything and be fullstack anymore so to slowly arrive towards the end of this presentation what did we learn today not much I guess but hey it's a keynote so we want to talk about what should we actually make out of this the pathway to heaven so what we learned today was maybe a little bit about history and maybe that some of the things that are ancient and older than all of us combined in this room still have value and still last and still hold and they still show us that there's like interesting foundations being created thousands of years ago but still having relevance and repercussions today so we see that there is parallels that there's like lots of things that we can directly map from one to the other element and see wow that really clicks that makes perfect sense and if we follow that path then bad consequences are ad do and if we follow this other path then we might do better in the end and at the end of the day we understand that the Seven Virtues contrary to the seven sins give us the opportunity for improvement every day every week every month and every year so my key argument here is as usual let's not make an aim for major leaps but let's go for small steps because that is the only thing that really works in it security especially in web security many other branches all the Revolutionary technology that we hope would solve issues they kind of failed but all the small steps like samide cookies etc etc they had amazing effects and those are the ones that actually get us to move forward and that also kind of directly relates to us and our behaviors with technology and with the people that we interact with we can just not become better people and smarter people and wiser people in one go we don't can we cannot really take this one magical pill or read this one magical book and then we're there it takes lots of small steps and lots of time and lots of work and it is always an uphill battle to improve and let's also keep in mind that we shouldn't put too much pressure on us to get back to the stress and the burnout nobody is perfect nobody in this room here is perfect no one really no one has their stuff together in full and that is okay because we're people we're humans and every day with like minor with Tiny Steps we can just like improve a little bit and that is what we should aim for in my humble opinion small steps here and there learn enhance adopt improve and that connects directly to this event here because those are the places those are the spots those are the times when we can actually do this collectively and talk to one another and socialize and learn new things and walk home as a little bit better of a person and that's a fantastic thing to sum it up we have already digested that ancient knowledge and the modern principles are actually still quite interconnected we have already seen that lots of things can be done to actually go for constant betterment and Improvement of yourself and the systems and the people and the ideas around you and we can now use all this information and all this knowledge on this and many other events to learn and get inspired and make progress together and at the end of the day what we can achieve with this and this I think is the most important and also probably the most motivating part is make things more secure together without overdoing it or picking the wrong priorities or leaving the righteous path in the first place and that is all that I have for you today thank you very very much and uh I hope you have a beautiful day with the upcoming talks and events and uh that's it thank you