Security Bsides Las Vegas 2024

login

Free Your Mind: Battling Our Biases
.ical
2024-08-06 , Florentine F

Being a beginner doesn't have to be all bad. Being an expert doesn't always mean you're the best person to solve a problem. Whether you're brand new or you've been in the industry since the Morris worm ran rampant, join us for a session of introspection and hopefully take away a few new perspectives and tools for improving the way you think.

Outline

  • Intro / about the author
    • dade - Former red team, current staff security engineer, but this isn't about my day job.
    • This is not a technical talk, this is a talk about biases, the unexpected benefits of being a beginner, and changing the way we interact with our colleagues and peers.
  • Audience Survey
    • Gauge the receptibility of the audience with the content
    • Have you recently done something that you later felt was dumb?
    • Have you recently refrained from asking a question because you were afraid people would think you were dumb?
    • Have you recently been annoyed when someone asked a question that you thought they should know the answer to?
    • Have you recently refrained from sharing a piece of information because you assumed everyone already knew it?
  • "Always be the dumbest person in the room"
    • Common advice people get about up-leveling themselves, if you're the dumbest person in the room, you can learn from everyone around you
    • But this can be exhausting, and it obviously doesn't scale as your career grows -- you will either die an amateur, or live long enough to see yourself become the expert
    • One of my highest severity findings in my entire career came not because of some leet hacks or my depth of knowledge in web apps. It came because I didn't know what else to do, so I removed an authentication cookie from my request altogether, and was surprised to see that nothing actually validated the presence of the cookie. If the cookie was there but wrong, you'd get rejected. But if it just wasn't there at all, you'd pass right on through. Others completely overlooked this in favor of trying more advanced techniques of attacking JWTs. Sometimes, doing the simplest possible thing is all you need.
  • Talking to Beginners
    • It's very normal to feel overwhelmed with information, especially in this industry
    • Everyone feels dumb about something, even if they are really good at related things
    • Asking questions can be scary if you assume everyone is smarter than you, because you also feel like their time is worth more than yours, and that you're wasting their time.
    • Easy to go along with what people say because they are assumed to know more, a sort of authority bias, which creates a bandwagon effect where everyone goes along with something even if it's wrong.
    • By choosing to not ask a question, or not trying a new project, or not committing to something because we think we can't do it, we are engaging in self-handicapping.
  • Shared Information Bias
    • A room full of people will spend a majority of their time talking about information that everyone already has context around. This helps to achieve consensus, but may not make the best decision.
    • How do we counter this, to ensure that we're addressing the unshared information? When should we counter it?
  • Embrace being wrong
    • When our minds are free of assumptions about how a system works, how something should work, we are free to be curious and experiment.
    • Being wrong is a powerful way to make discoveries that can not only solve problems, but change the entire way we think about those problems.
    • "I never once failed at making a light bulb. I just found out 99 ways not to make one."
  • Talking to Experts
    • As we grow in our field, we became saturated with various biases. Even if we think we aren't, that's a bias in itself called the Bias Blind Spot.
    • The more experience we have in an environment, whether that be at a particular job, at a particular company, or in a particular role in the industry, the more likely we are to experience status quo bias -- preferring things stay the same because that's what we know
    • We become laden with the curse of knowledge, and become unable to see the perspectives of others who don't have all those years of experience. Even if their perspectives might be better than ours in some regard.
    • We face confirmation bias, favoring things that agree with our pre-existing beliefs, and subconsciously leading us away from things that challenge us.
    • We have to not only make room for beginners to ask questions or make suggestions, we have to actively encourage it. We have to lead by example.
    • Sometimes, even if we know the answer, it can be valuable to ask the question so that others in the room who aren't comfortable speaking up can know the answer, and can feel more comfortable asking their own questions.
  • Problems Exist Between Reality And Mental Modem (PEBRAMM)
    • Our mental models of how systems work are often biased by our experiences and by the knowledge we already have
    • In any advanced system, whether of computers or people, it is surprisingly easy for these mental models to quickly become inaccurate.
    • By making a conscious, active effort to free ourselves of the constraints of our own mental models, we can look at things in a new light and find wonderful ways to improve them. We can think critically about things we otherwise take for granted.
  • Divergent Thinking
    • Sir Ken Robinson gave a TED talk back in 2007 asking if schools kill creativity. In it, he gives one particular example that I find myself using as a reference a lot. Specifically it talks about divergent thinking, a way of seeing lots of ways to interpret a question, lots of possible answers to a question.
    • "How many uses can you think of for a paper clip" - Most people might come up with 10 or 15. Really good people might come up with 200, because they will ask questions like "Could it be 200 feet tall and made of foam rubber?" Suddenly the uses for that paper clip could expand dramatically, by simply suspending our pre-conceived notions around what "paper clip" means.
    • This is, in my opinion, the essence of red teaming. Red teaming has nothing to do with hacking computers, though that is the way our industry uses it a lot today. The actual skill itself that makes someone a valuable red team member is their ability to think divergently. To look at systems and think "What if X wasn't X and instead it was A?"
    • By practicing this skill of divergent thinking, we can improve our abilities to challenge our mental models and improve our ability to address problems at much more fundamental levels.
  • Wrapping up
    • As an expert, go out of your way to ask questions that you think others might need to know the answer to, even if you already know the answer. Ask to clarify acronyms. Ask to clarify assumptions people are making. You will pave the way for a much more productive and informed team.
    • As a beginner, be curious, be wrong, be inquisitive. If someone says something you think is wrong, ask to clarify. Don't assume that just because someone has 20 years of experience that they are automatically right. Seek to understand why they believe what they believe.
    • Engage in divergent thinking, challenge assumptions, challenge your own beliefs and your own mental models. This is how we become better, not only at our jobs, but as people.
The speaker’s profile picture
dade

dade is a former fortune 50 red teamer turned startup staff security engineer. While at work, he's passionate about all things security, software, and infrastructure related. While he's not at work, he's passionate about getting back to work. He also enjoys developing software, blogging, self-hosting, and writing rap songs about his interests and hobbies.