Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 3

Tanacon, Security, and Lack of a Threat Model

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Good morning, everybody. Welcome to episode 73 of mornings with Mark. I have a different one for you today over the weekend here. We're in the middle of June. There was an event held in California called tanacon. Now, this is a social media event. It was sort of a b-sides ask version of VidCon of Incarnate as massive event for I'm Creator is mainly for YouTubers to interact with their fans, you know, and have an experience I end this tanacon was set up by an individual Creator as a counter for that challenges with the original events that started her own since the first time is conference has ever run.

The reason I want to talk about it today was because from all reports. It was a disaster. I was not there. I did not attend a butt from a security and privacy perspective. I find it a very very interesting case because it reminds all cybersecurity practitioners that there is a physical aspect to things you can't just set it up.

Eonline and not worry about anything and that's always a good take-home message for cyber security in any and all venues, but I think what's really fascinating about this conference was that it's a classic example of not fully exploring the scope of the risk model associated with something. So keep it easy.

Keep it simple hear. This conference was planned in a venue that held about a thousand people they sold or had made available about 5,000 tickets and had anywhere from fifteen to twenty thousand people show up. Now the demographic of this conference was primarily younger folks who are very active on social media the word spreads fast things get very sore face way one way the other very very quickly given the audience and the level connectivity.

So you get very interesting Mass psychology effects going on. So we only had a problem. The venue was too small for the number of tickets released and then four times as many people. Four times as many people showed up to the actual venue. So there's significant challenges here. Now, that's the first scoping problem.

Is that while you expect some people not to show up if you sell tickets, you have to have the capacity to Ralph about there's a sizing problem and that's a major risk, and I'm so the venue is not appropriate for the number of people that you've committed to being able to serve.

That's it. That's the number one risk number two is that this is a social event at mrs. Berry promised on digital media. They made a mistake sing tickets are available door. They have way more people show up and they kept those people in line. And that's a really interesting thing to do now is all comes back to you know, I don't think it's any malicious intent.

This is purely just an experience. I bought a ton of people really frustrated but there's some really significant issues that I want to talk to you because the parallels are very appropriate people have an idea in mind and say I'm going to build systemax or I'm going to get a few I'm going to create my own Conference of my own event a bigger than a meter.

And then they start to scale up part of the problem. But only part of the problem that they see that they think about I'm so this conference was started because of a lack of parity between creators in the store speakers of the conference and the people said they wanted a lot of interaction the first place will already that's a challenge if that's your goal your security settings and controls aren't lining up with that and then we see this all the time in organizations when I go talk to him where I'm going to create an application that is going to allow people to buy tickets online.

Let's use a irrelevant example is conference cream application of buys tickets online and because I want to build up demand. I'm going to make sure that you only can buy it like 10 a.m. That's what everything's going to open up and anything it was I Dio. Okay, great. I'm going to be able to sell a text number of tickets very very quickly because of a pan.

Demand but that creates other unintended consequence of second-order effects down the road that now you're forcing a massive spike in traffic on the system. And that has issues is that your system going to scale from nothing to massive and have additional unintended behaviors is very similar to this conference, right? They scale it up way too fast and they are skilled it out of its own capacity before they even started by selling 5,000 tickets for 1000 person venue and that's like I said, that's common.

It's hard to properly scope something because you get so caught up in the coolness factor in the idea. So I see this quite often when we're building stuff in the cloud people go. Okay. I'm going to work with my existing system over and you know what I'm going to scale it out.

I'm going to add more servers but without changing anything in the background without understanding that because you need more servers that needs more database capacity content delivery network of second-order effects. This is really really difficult to nail everything out of the gate, but you need to go through some sort of exercise when it comes to risk like tanacon this weekend.

We call that a threat risk assessment Susan Number of models that are out there and that help you work through asking these relevant questions. Okay. So if I have a venue 4,000 people what happens if I sell more than a thousand tickets while we're expecting maybe at 10% no-show rate, but that means you know 1100 tickets not 5,000 tickets.

So working through risk assessments are really critical. I'm for real because it helps combat that issue of lack of modeling lack of scope a lack of understanding of the real scope and I know it's kind of vague, but I think it's it's a really important thing to keep in the back of your head is no easy solution is just a core principle of doing cyber security of throwing event frankly to put on the security privacy side.

It's really important to make sure that you were properly modeling any potential risks and exploring a pushing yourself because you don't know what those risks are. That's why you bring a team and you do some wakeboarding you ask some questions you do Basque people who've already built similar systems are run similar events and because you can eat Play run into a scenario.

I like happened to tanacon this weekend where intentions were good implementation was atrocious and a push back and blow back has been significant and the cyber security equipment is intentions are good. You get hacked and end up on the front page. Again scoping that's why we use risk assessment tools.

But in addition to that take away remember that physical security is always a piece of cybersecurity. That isn't the number one thing. I see people missing a time and time again is the only worried about cyber-security not the physical security and is a further example of a lack of proper scoping a lack of risk assessment.

So free here, what do you let me know online. I'm at Mark NCAA in the comments down below or as always by email me at Mark and. CA I'm interested to hear your experiences in the physical security World in scoping because it ain't scoping is a massive problem. I'm in general and I T sometimes prevents.

I'm in a number think so. Let's keep this discussion going. I hope you're set up for a fantastic day. I will talk to you online and see you on the show tomorrow. Good morning, everybody. Welcome to episode 73 of mornings with Mark. I have a different one for you today over the weekend here.

We're in the middle of June. There was an event held in California called tanacon. Now, this is a social media event. It was sort of a b-sides ask version of VidCon of Incarnate as massive event for I'm Creator is mainly for YouTubers to interact with their fans, you know, and have an experience I end this tanacon was set up by an individual Creator as a counter for that challenges with the original events that started her own since the first time is conference has ever run.

The reason I want to talk about it today was because from all reports. It was a disaster. I was not there. I did not attend a butt from a security and privacy perspective. I find it a very very interesting case because it reminds all cybersecurity practitioners that there is a physical aspect to things you can't just set it up.

Eonline and not worry about anything and that's always a good take-home message for cyber security in any and all venues, but I think what's really fascinating about this conference was that it's a classic example of not fully exploring the scope of the risk model associated with something. So keep it easy.

Keep it simple hear. This conference was planned in a venue that held about a thousand people they sold or had made available about 5,000 tickets and had anywhere from fifteen to twenty thousand people show up. Now the demographic of this conference was primarily younger folks who are very active on social media the word spreads fast things get very sore face way one way the other very very quickly given the audience and the level connectivity.

So you get very interesting Mass psychology effects going on. So we only had a problem. The venue was too small for the number of tickets released and then four times as many people. Four times as many people showed up to the actual venue. So there's significant challenges here. Now, that's the first scoping problem.

Is that while you expect some people not to show up if you sell tickets, you have to have the capacity to Ralph about there's a sizing problem and that's a major risk, and I'm so the venue is not appropriate for the number of people that you've committed to being able to serve.

That's it. That's the number one risk number two is that this is a social event at mrs. Berry promised on digital media. They made a mistake sing tickets are available door. They have way more people show up and they kept those people in line. And that's a really interesting thing to do now is all comes back to you know, I don't think it's any malicious intent.

This is purely just an experience. I bought a ton of people really frustrated but there's some really significant issues that I want to talk to you because the parallels are very appropriate people have an idea in mind and say I'm going to build systemax or I'm going to get a few I'm going to create my own Conference of my own event a bigger than a meter.

And then they start to scale up part of the problem. But only part of the problem that they see that they think about I'm so this conference was started because of a lack of parity between creators in the store speakers of the conference and the people said they wanted a lot of interaction the first place will already that's a challenge if that's your goal your security settings and controls aren't lining up with that and then we see this all the time in organizations when I go talk to him where I'm going to create an application that is going to allow people to buy tickets online.

Let's use a irrelevant example is conference cream application of buys tickets online and because I want to build up demand. I'm going to make sure that you only can buy it like 10 a.m. That's what everything's going to open up and anything it was I Dio. Okay, great. I'm going to be able to sell a text number of tickets very very quickly because of a pan.

Demand but that creates other unintended consequence of second-order effects down the road that now you're forcing a massive spike in traffic on the system. And that has issues is that your system going to scale from nothing to massive and have additional unintended behaviors is very similar to this conference, right? They scale it up way too fast and they are skilled it out of its own capacity before they even started by selling 5,000 tickets for 1000 person venue and that's like I said, that's common.

It's hard to properly scope something because you get so caught up in the coolness factor in the idea. So I see this quite often when we're building stuff in the cloud people go. Okay. I'm going to work with my existing system over and you know what I'm going to scale it out.

I'm going to add more servers but without changing anything in the background without understanding that because you need more servers that needs more database capacity content delivery network of second-order effects. This is really really difficult to nail everything out of the gate, but you need to go through some sort of exercise when it comes to risk like tanacon this weekend.

We call that a threat risk assessment Susan Number of models that are out there and that help you work through asking these relevant questions. Okay. So if I have a venue 4,000 people what happens if I sell more than a thousand tickets while we're expecting maybe at 10% no-show rate, but that means you know 1100 tickets not 5,000 tickets.

So working through risk assessments are really critical. I'm for real because it helps combat that issue of lack of modeling lack of scope a lack of understanding of the real scope and I know it's kind of vague, but I think it's it's a really important thing to keep in the back of your head is no easy solution is just a core principle of doing cyber security of throwing event frankly to put on the security privacy side.

It's really important to make sure that you were properly modeling any potential risks and exploring a pushing yourself because you don't know what those risks are. That's why you bring a team and you do some wakeboarding you ask some questions you do Basque people who've already built similar systems are run similar events and because you can eat Play run into a scenario.

I like happened to tanacon this weekend where intentions were good implementation was atrocious and a push back and blow back has been significant and the cyber security equipment is intentions are good. You get hacked and end up on the front page. Again scoping that's why we use risk assessment tools.

But in addition to that take away remember that physical security is always a piece of cybersecurity. That isn't the number one thing. I see people missing a time and time again is the only worried about cyber-security not the physical security and is a further example of a lack of proper scoping a lack of risk assessment.

So free here, what do you let me know online. I'm at Mark NCAA in the comments down below or as always by email me at Mark and. CA I'm interested to hear your experiences in the physical security World in scoping because it ain't scoping is a massive problem. I'm in general and I T sometimes prevents.

I'm in a number think so. Let's keep this discussion going. I hope you're set up for a fantastic day. I will talk to you online and see you on the show tomorrow.