0
Rischi o vulnerabilità?Alessio L.R. Pennasilico                       Roma, 7 Aprile 2011mayhem@alba.sttwitter: mayhemsppF...
$ whois mayhem  Security Evangelist @                           Board of Directors:              CLUSIT, Associazione Info...
Credits                            Roger G. Johnston                     Vulnerability Assessment Team           Nuclear E...
Rischi o vulnerabilità?
Malware   Threat: Adversaries might install malware in    the computers in our Personnel Department    so they can steal s...
Ladri   Threat: Thieves could break into our facility             and steal our equipment.   Vulnerability: The lock we ar...
Social Engineering         Threat: Nefarious insiders might release          confidential information to adversaries. Vuln...
Myth #1  “a Threat without a mitigation is a Vulnerability”             makes no sense because          (a) a Threat is no...
Myth #2 “Threats are more important than Vulnerabilities”   we need to consider that a TA involves mostly    speculating a...
Passato vs Futuro        Some people claim that past security       incidents can tell us all we need to know          abo...
If you understand and take some reasonable         effort to mitigate your security    Vulnerabilities, you are probably i...
if you understand the Threats but are ignorant   of the Vulnerabilities, you are not likely to be     very secure because ...
Cognitive Biases
Optimism Bias    the demonstrated systematic tendency for       people to be over-optimistic about the     outcome of plan...
Optimism Bias    Optimistic overconfidence bias can induce       people to underinvest in primary and      preventive care...
A brain-imaging study found that, when    imagining negative future events, signals in       the amygdala, an emotion cent...
Heuristic      experience-based techniques that help in       problem solving, learning and discovery        "rule of thum...
Availability heuristic       estimating what is more likely by what is       more available in memory, which is biased    ...
Representativeness heuristic               judging probabilities on the basis of                           resemblance  Ri...
Affect heuristic    basing a decision on an emotional reaction        rather than a calculation of risks and              ...
Donald Norman Rischi o vulnerabilità?   mayhem@alba.st   21
Conclusioni
Conclusioni           Ci dobbiamo occupare delle minacce      Ci dobbiamo occupare delle vulnerabilità Rischi o vulnerabil...
Conclusioni                Siamo umani, possiamo sbagliare          Tentare di gestire le cause di errore di              ...
These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution-      ...
Upcoming SlideShare
Loading in...5
×

Rischi o vulnerabilità?

502

Published on

Slide prepararate in poche ore per sopperire alla mancanza di un relatore al convegno All Security a Roma 2011

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
502
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Rischi o vulnerabilità?"

  1. 1. Rischi o vulnerabilità?Alessio L.R. Pennasilico Roma, 7 Aprile 2011mayhem@alba.sttwitter: mayhemsppFaceBook: alessio.pennasilico
  2. 2. $ whois mayhem Security Evangelist @ Board of Directors: CLUSIT, Associazione Informatici Professionisti, Associazione Italiana Professionisti Sicurezza Informatica, Italian Linux Society, OpenBSD Italian User Group, Hacker’s Profiling Project Rischi o vulnerabilità? mayhem@alba.st 2
  3. 3. Credits Roger G. Johnston Vulnerability Assessment Team Nuclear Engineering Division Argonne National Laboratory http://jps.anl.gov/Volume4_iss2/Paper3-RGJohnston.pdf Rischi o vulnerabilità? mayhem@alba.st 3
  4. 4. Rischi o vulnerabilità?
  5. 5. Malware Threat: Adversaries might install malware in the computers in our Personnel Department so they can steal social security numbers for purposes of identity theft. Vulnerability:The computers in the Personnel Department do not have up to date virus definitions for their anti-malware software. Rischi o vulnerabilità? mayhem@alba.st 5
  6. 6. Ladri Threat: Thieves could break into our facility and steal our equipment. Vulnerability: The lock we are using on the building doors is easy to pick or bump. Rischi o vulnerabilità? mayhem@alba.st 6
  7. 7. Social Engineering Threat: Nefarious insiders might release confidential information to adversaries. Vulnerability: Employees don’t currently have a good understanding of what information is sensitive/confidential and what is not, so they can’t do a good job of protecting it. Rischi o vulnerabilità? mayhem@alba.st 7
  8. 8. Myth #1 “a Threat without a mitigation is a Vulnerability” makes no sense because (a) a Threat is not a Vulnerability (b) security is a continuum and 100% elimination of a Vulnerability is rarely possible (c) adversaries may not automatically recognize a Vulnerability so mitigating it may be irrelevant for that specific Threat Rischi o vulnerabilità? mayhem@alba.st 8
  9. 9. Myth #2 “Threats are more important than Vulnerabilities” we need to consider that a TA involves mostly speculating about people who are not in front of us, and who might not even exist, but who have complex motivations, goals, mindsets, and resources if they do exist. Vulnerabilities are more concrete and right in front of us (if we’re clever and imaginative enough to see them). They are discovered by doing an analysis of actual infrastructure and its security—not speculating about people. Rischi o vulnerabilità? mayhem@alba.st 9
  10. 10. Passato vs Futuro Some people claim that past security incidents can tell us all we need to know about Threats, but that is just being reactive, not proactive, and misses rare but very catastrophic attacks. Rischi o vulnerabilità? mayhem@alba.st 10
  11. 11. If you understand and take some reasonable effort to mitigate your security Vulnerabilities, you are probably in fairly good shape regardless of the ThreatsRischi o vulnerabilità? mayhem@alba.st 11
  12. 12. if you understand the Threats but are ignorant of the Vulnerabilities, you are not likely to be very secure because the adversaries will have many different ways in.Rischi o vulnerabilità? mayhem@alba.st 12
  13. 13. Cognitive Biases
  14. 14. Optimism Bias the demonstrated systematic tendency for people to be over-optimistic about the outcome of planned actions. This includes over-estimating the likelihood of positive events and under-estimating the likelihood of negative events. It is one of several kinds of positive illusion to which people are generally susceptible. Rischi o vulnerabilità? mayhem@alba.st 14
  15. 15. Optimism Bias Optimistic overconfidence bias can induce people to underinvest in primary and preventive care and other risk-reducing behaviors. Rischi o vulnerabilità? mayhem@alba.st 15
  16. 16. A brain-imaging study found that, when imagining negative future events, signals in the amygdala, an emotion centre of the brain, are weaker than when remembering past negative events. This weakened consideration of possible negative outcomes is one possible mechanism for optimism bias.Rischi o vulnerabilità? mayhem@alba.st 16
  17. 17. Heuristic experience-based techniques that help in problem solving, learning and discovery "rule of thumb", an educated guess, an intuitive judgment or simply common sense Rischi o vulnerabilità? mayhem@alba.st 17
  18. 18. Availability heuristic estimating what is more likely by what is more available in memory, which is biased toward vivid, unusual, or emotionally charged examples Rischi o vulnerabilità? mayhem@alba.st 18
  19. 19. Representativeness heuristic judging probabilities on the basis of resemblance Rischi o vulnerabilità? mayhem@alba.st 19
  20. 20. Affect heuristic basing a decision on an emotional reaction rather than a calculation of risks and benefits Rischi o vulnerabilità? mayhem@alba.st 20
  21. 21. Donald Norman Rischi o vulnerabilità? mayhem@alba.st 21
  22. 22. Conclusioni
  23. 23. Conclusioni Ci dobbiamo occupare delle minacce Ci dobbiamo occupare delle vulnerabilità Rischi o vulnerabilità? mayhem@alba.st 23
  24. 24. Conclusioni Siamo umani, possiamo sbagliare Tentare di gestire le cause di errore di valutazione aiuta Rischi o vulnerabilità? mayhem@alba.st 24
  25. 25. These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :) Domande? Grazie per l’attenzione!Alessio L.R. Pennasilico Roma, 7 Aprile 2011mayhem@alba.sttwitter: mayhemsppFaceBook: alessio.pennasilico
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×