“Just Culture”

(Just as in justice)
A just culture is a culture of trust, learning and accountability.

Instead of blaming the person who had last touched something, focus is turned towards the actual issues in the system.

By blaming someone, it is easier to appease most groups.
But if the issue is inherent in the system - the system won’t be fixed by sacking an employee.

Revisiting Security Engineering

  • Learning from the past
  • Being open to mistakes
  • Finding how to improve
  • Applying best practice

Design Principles

  • Defense In Depth
    • Redundancy
    • Dual Control
    • However, can also mask things
  • Understanding the process, rather than just carrying it out
  • Reviewing
  • Professionalism
    • Duty to your profession, not just your company
    • Dealing with conflicts of interest
    • Engineers also have pride - we love what we do, and so we do what we do the best that we can do.
  • Quantify things
  • Closing the loop
    • Feed forward -> producing what we think we need to progress
    • Feedback completes the loop - Listening to responses and making improvements

350 Alarms

Alarm fatigue.

Which alarms are most important.

Coherence

  • Not too complex
  • Not tightly coupled

Can we remove humans from the system?

  • Devices can only operate under the conditions that they were designed for
    • They are designed under a criteria
    • Attackers find ways to bypass the criteria
  • Therefore we need humans in the system for events when the device is not covering the right scope.

End to End - Security

Make sure to completely secure the system, including the endpoints.

i.e. Even if login credentials are secured over the internet, a keyboard logger (at the start endpoint) would capture the credentials

Communication

When talking to others, speak for the sake of the other person.

A scientist is someone who tries to prove themselves wrong.
Theories that are possible to prove wrong, but which aren’t disproved - are more likely to be true.