Women in Cybersecurity_InfraGard Cybersecurity Symposium_11.17.2015
1. “Bringing You the Science in Security”
Piece of (i) Proprietary – Do Not Distribute
Women in Cybersecurity Panel
Connie Vaughn
Cvaughn@pieceofi.com
916-472-5614
InfraGard
11th Annual Security Symposium
November 17, 2015
Rancho Cordova, California
Piece of (i) Security Solutions
2. Piece of (i) Proprietary – Do Not Distribute
Outline
• Define the Terms used for Vulnerability and
Risk Assessments
• Discuss Analysis Approaches
• Discuss Future Threats and Challenges
• References
• Question & Answers
2
3. Piece of (i) Proprietary – Do Not Distribute
Definitions
• Vulnerability Assessment
– A systematic evaluation process in which qualitative
and/or quantitative techniques are applied to detect
vulnerabilities and to arrive at an effectiveness level
for a security system to protect specific targets from
specific adversaries and their acts
3
4. Piece of (i) Proprietary – Do Not Distribute
Definitions (cont’d)
• Risk Assessment
– A process of analyzing threats and vulnerabilities of a
facility, determining the potential for losses, and
identifying cost-effective corrective measures and
residual risk
4
5. Piece of (i) Proprietary – Do Not Distribute
Physical and Cyber Consequences
8
Physical Attack Cyber Attack
6. Piece of (i) Proprietary – Do Not Distribute
“The Science in Security”
10
R = PA * [ 1 – PE ] * CR = PA * [ 1 – PE ] * C
Frequency of EventFrequency of Event Impact of EventImpact of Event
Security
Risk
Probability of
Adversary
Success
Probability of NeutralizationProbability of Neutralization
PNPN
Probability of InterruptionProbability of Interruption
PIPI
Probability “Options to Mitigate” will Prevent EventProbability “Options to Mitigate” will Prevent Event
What Your System Can Do
And More Importantly
What Your System Can Not Do!
7. Piece of (i) Proprietary – Do Not Distribute
Adversary Task Time
T0T0
Detection
Alarm
Assessed
TATA
Response
Adversary
Interrupted
TITI
System Delay
PPS Time Required
Begin Action Task Complete
Adversary Task Time
First
System
Alarm
TCTC
Time
DelayDelay
11
8. Piece of (i) Proprietary – Do Not Distribute
Recent Physical Security Examples
• Man Enters White House
• Two NY Prisoners Escape
• El Chapo Prison Escape
• Smugglers Tried Selling Nuclear Material to
ISIS
• London Jewelry Theft
• Pedophiles Finding a Safe Haven on the Dark
Net
• Russian Plane Bombing
• Unmanned Aircraft Systems (UAS) Events
(airports, fire zones, White House, etc.)
15
9. Piece of (i) Proprietary – Do Not Distribute
Key Steps
• Establish a team
• Define or characterize objectives of PPS
• Analyze PPS
• Redesign if necessary
• Conduct performance tests
• Determine risk level
16
10. Piece of (i) Proprietary – Do Not Distribute
Security Management
• Who has the Chief Security Officer Responsibilities
– Devise policies and procedures
• Loss & fraud prevention
• Privacy
– Oversee and coordinate security efforts
• Information technology
• Human resources
• Communications
• Legal
• Facilities
– Develop procedures to ensure physical safety
• Management
• Employees
• Visitors
– Maintain relationships with local, state and federal law
enforcement
– Develop emergency procedures and incident responses
– Conduct risk management assessments
18
11. Piece of (i) Proprietary – Do Not Distribute
Emerging Threats & Challenges
• Unmanned Aircraft Systems (UAS)
– Government policies?
– Enforcement?
• Lone Wolf
– Anti-government
– Economic disparity
– Increase in violence
– Attracted to soft targets
• History of Low Crime
– I can’t believe it happened here!
19
12. Piece of (i) Proprietary – Do Not Distribute
UAS Challenges
• Over 1 Million Expected Sells this Year
• Lack of Regulations and Laws
• Detecting and Assessment
– Many sizes, shapes, payloads, and materials
– Determining intent (commercial delivers vs malicious)
• Tracking
– High speeds (over 70mph)
• Neutralization
– Kinetic or passive
– Unintended consequences
20
13. Piece of (i) Proprietary – Do Not Distribute
Wireless Technology Challenges
• Evolving Smart Technologies
– Smart homes
– Smart cars
– Baby monitors
21
14. Piece of (i) Proprietary – Do Not Distribute
Reference Material
• ASIS International Risk Assessment Standard (2015)
• Design and Evaluation of Physical Protection Systems
(2007), Mary Lynn Garcia, CPP - Butterworth Heinemann -
ISBN 978-0-7506-8352-X
• Vulnerability Assessment of Physical Protection Systems
(2006), Mary Lynn Garcia, CPP - Butterworth Heinemann-
ISBN 0-7506-7788-0
• Security Risk Assessment and Management (2007), Betty
Biringer - John Wiley & Sons, Inc. - ISBN 978-0-471-79352-6
22
15. Piece of (i) Proprietary – Do Not Distribute
Questions/Answers
23
WWW.pieceofi.com