Making Open Work
May 8–9, 2017: Training & Tutorials
May 10–11, 2017: Conference
Austin, TX

Finding your way in the dark: Security from first principles

Susan Sons (Center for Applied Cybersecurity Research, Indiana University)
11:50am12:30pm Wednesday, May 10, 2017
Location: Meeting Room 10 A/B
Level: Intermediate
Average rating: *****
(5.00, 6 ratings)

Who is this presentation for?

  • Everyone can benefit from this session

What you'll learn

  • Learn how seven principles can help us model all of the different things we do in infosec, from programming, networking, architecture, and monitoring to policy, IR, education, and more


Two years ago, my colleague Craig Jackson and I were making our way home from a conference. For the second year in a row, we’d presented a workshop on building cybersecurity programs for scientific research projects with an emphasis on large facilities, and that year I presented a little addendum, Securing Novel Technologies. The thing about science is sometimes there is no guide to best practices. We’re often asked to secure things that don’t exist anywhere else. My addendum offered a glimpse at where I come up with controls for the weird stuff.

I’m that hacker. Giant telescope on top of a volcano? No best practices guide for that. Just send Susan; she’ll figure out how to secure it. SCADA under the Antarctic ice? Got it. The military called, but they can’t tell us what they called about just yet. Something’s trying to blow up the internet, and we need a strategy. . .

We have lots of people out there in the field following best practices guides and using controls from big lists. What we lack is enough security operatives who think and work around the edges of what we don’t understand well, either because it’s too new, because it’s too unusual, or because you just plain aren’t familiar with it and memorizing every piece of tech in the world is impossible.

The experienced among us reason from first principles, but we tend not to teach that way. . .until now. Using the seven information security practice principles developed with my team at IU CACR, I’ll introduce a mental model for reasoning about security instead of trying to memorize for security and demonstrate its application to real-world examples. You’ll leave looking at the technologies and human systems around you a little differently.

Photo of Susan Sons

Susan Sons

Center for Applied Cybersecurity Research, Indiana University

Susan Sons is a hacker, author, and miscreant based in Bloomington, Indiana. In her working life, she aids NSF- and DHS-funded projects in establishing and maintaining sound information security practices. In her off hours, Susan codes, writes, and leads ICEI, the Internet Civil Engineering Institute, a nonprofit that supports the open source software infrastructure upon which the internet and computing in general depend. When not rescuing software projects, Susan lifts weights, practices martial arts, and gives her time as a volunteer search and rescue worker.