Assumptions, the Deadliest Vulnerability presented at 44Con2018 2018

by Pete Herzog,

Summary : Once upon a time there was a little girl named Goldilocks. She went for a walk in the forest where she found a peculiar house. She knocked. No one answered so she walked right in. <SPOILER ALERT> She died. Goldilocks and the three bears is the ultimate tale of making bad assumptions from test data. You know where else assumptions happen but only sometimes ends with bears mauling a little girl? Cybersecurity. It’s a common problem, and it even happens to the experienced security analyst. Assumptions are the vulnerability you didn’t see coming. Assumptions are the things that combine your experiences and gut instinct to lead you to making random decisions. Random because neither your memories of your experiences nor your intrinsic feelings about something are very good decision makers. This leads to decision-making being the ultimate and deadliest vulnerability. In this talk we will discuss a variety of common security assumptions like cyberhygiene, defense in depth, and least privilege. We will discuss why they are assumptions and the technical and procedural solutions for them. Finally, we will discuss new security research that attempts to reveal and deal with these assumptions.