Re: visualizing security techniques

["L. Aaron Kaplan" <kaplan () cert at>]

I gave a talk about IT Security Visualization at FIRST 2010.

Essentially you want to focus on two sub-groups:
1) those in the know (operators, sysadmins, coders, geeks, it security experts)
2) the rest

For (1) you can look at fancy tools like gephi.org, processing.js, graphviz, etc...
These tools (often work on FLOSS) will give you some wow effects, however... the real 
art lies in convincing (2).

For (2) (the majority) there is a technique which I like a lot [1]
to represent magnitudes/dimensions of a security problem. My wife and me created these graphics 
and we were thinking hard, how to explain some IT security issueto the general public.

Take for example spam:
  we as experts know that is a big problem. In multiple ways! Spam generates 
lots of willing money mules, 'pharmacy' orders, distributes malware etc.
Now, for a minute try to imagine how you could (graphically) explain 'pharmacy' orders
to your mother/father/grandmother/grandfather who knows nothing about computers.
Well, you have to show the dimensions of the problem and the whole cycle.

Let's start with 
  http://www.annapetukhova.com/sites/default/files/piplint.jpg
Easy! 1 in four people on the plant is connecte to the internet
Now, let's look at the global internet traffic:
  http://www.annapetukhova.com/sites/default/files/traff.jpg
Ok, so email is not even that much, but, let's now zoom in on the 
yellow email traffic:
  http://www.annapetukhova.com/sites/default/files/mailspam.jpg
Ah! so now your mother/father knows that most of the mail traffic
is crap. Ok, but why do they send that then?

Well, here is the complete cycle:
  http://www.annapetukhova.com/sites/default/files/big.jpg
You can see that the guy with the laptop can either chose to throw 
spam away or place an order. However, the totals of all the orders will
be lots of $$$ (actually you can count it ;-) ) - of which the spammer
gets to keep the most part. A very small part goes to let's say India
where 'generic viagra' is produced and then gets sent to the customer.
The blackhat gets to keep a small part of the whole profit.

Compare that to your income:
http://www.annapetukhova.com/sites/default/files/incom.jpg

Or to the amount of power that sending, processing, filtering and 
receiving spam uses up:
  http://www.annapetukhova.com/sites/default/files/pplant.jpg
Yes! that is one nuclear plant ;-) Just for spam.
Now show that to Greenpeace and you got them on your side in the 
cause to fight spam :))


So this example - I hope - conveyed the technique of creating
infodesign presentations which even politicians understand.
Of course this example is not complete nor 100% perfect. Nor is it easy 
to automate, but I think presenting things like that has some big impact.


I hope it helped...
Aaron
CERT.at





On Nov 5, 2010, at 1:20 AM, travis+ml-dailydave () subspacefield org wrote:

> So for those of you who make presentations for non-experts, I was
> wondering if you had any ideas on how to create compelling
> graphics/video/animations for security presentations.


[1] http://en.wikipedia.org/wiki/Otto_Neurath
http://www.google.at/images?q=otto+neurath&um=1&ie=UTF-8&source=univ&ei=9Cv9TITJGcGn8QPYq4TjCw&sa=X&oi=image_result_group&ct=title&resnum=3&ved=0CEIQsAQwAg&biw=1231&bih=636


--
L. Aaron Kaplan
http://www.cert.at
kaplan () cert at
Tel: +43 1 505 64 16 / 78

Attachment: PGP.sig
Description: This is a digitally signed message part

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave