In den CASA Distinguished Lectures heißen wir ausgewählte international und nationale Wissenschaftler*innen am HGI willkommen. An die meist einstündigen Vorträge dieser exzellenten Gastredner*innen schließt immer auch eine Diskussion mit den Teilnehmenden an. Damit möchten wir unser Ziel verwirklichen, einen regen Gedankenaustausch innerhalb der Cyber-Security-Forschung anzutreiben und neue Perspektiven zu öffnen.
Aufgrund der aktuellen Situation rund um die COVID-19-Epidemie werden die Lectures online abgehalten - und sind damit für Interessierte auf der ganzen Welt zugänglich.
Auf unserem Youtube-Kanal können Sie sich außerdem einige unserer Distinguished Lectures jederzeit in voller Länge anschauen.
Am Donnerstag, den 16.07.2020 um 16.00 Uhr wird Adam Shostack von der Shostack & Associatesden Vortrag"We Need A Discipline of Cyber Public Health" halten.
For all the tragedy the coronavirus has brought and difficulties in fighting it, we have a discipline of public health. Scientists are advancing the science of public health. We have public health institutions at many scales: local, national and international. They are defining, gathering and distributing statistical measures. Those measures include most prominently deaths, but also hospital admissions, and for some diseases doctor diagnoses. We have guidance for the public.
We have few equivalents in the world of cybersecurity. We do not know how many computers have malware on them. We do not know what the equivalent of deaths are: is it systems lost to ransomware? What if they were backed up? We do not study means of infection or transmission rates.
These issues are important to me both in a broad sense and in a very specific one. Much of my work is focused on threat modeling: the anticipation of future security problems in technology. What problems ought we anticipate and address?
Some security problems are a result of developer errors. These errors include selecting bad tooling, using tools badly, or failing to recognize that they must authenticate, sanitize or otherwise apply security knowledge to a situation. Other problems are what we call “user error,” but that assignment of blame is, itself, hotly contested and often unfair. Security experts rarely give advice on the level of “wash your hands.” Their advice is rarely consistent with other experts, or the public. People are naturally confused and give up. These are all things that public health statistics could help us define and measure.
Because we cannot quantify how computers are compromised, or the causes, it is hard to justify answers to the question of “what should developers know about security?” We know there are aspects of security developers must consider, but the time and attention of developers is a scarce resource. Educating and training them effectively is dependent on prioritization, and for that we need cyber public health and its measurement capabilities.
bio: Adam is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups including as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.
Link zum Zoom-Webinar