SlideShare a Scribd company logo

Cyber by-sighbear-context-1.0-notes

S
Sighbearuk

Applying context to cyber-risk management this deck provides examples of how to apply risk management with context in both the cyber world and the Sigh Bear world (with speaker notes)

Technology
1 of 19
Download to read offline
Welcome to more Cyber by Sighbear in association with the CiBears. This slide deck expands on the initial story of Cybersecurity and continues the journey for those who wish to get into the industry and as a refresher to those already in the industry as to how and why we do Cyber Security. This is the second slide deck and there will be others that expand on the areas covered in this one and related areas. Cyber by Sighbear Context is Key What are the CiBears without context? V0.1 Draft
The story so far ● In the first slide deck we covered Cyber & Risk. ● Then we joined the two together for Cyber-Risk. ● We used Cyber and CiBear world examples to help introduce a simple equation for risk assessment. ● The deck introduced each of the parts to the equation. ● It finally wrapped it up with risk management. ● If you have not seen part 1 or need a detailed refresher see https://www.sighbear.uk/Cyber-Education/ In the first slide deck we covered Cyber & Risk and definitions for them both. We joined Cyber and Risk together for Cyber-Risk. The deck then used Cyber and CiBear world scenarios whilst introducing a simple risk equation (R = V * L * I) for risk assessment. Then it introduced each of the parts to the equation, R=Risk, V=Vulnerability, L=Likelihood and I=Impact (which also covered assets and value). The deck finally wrapped it all up with risk management through the following approaches ● Avoid ● Control ● Accept ● Transfer 2
The story today! CONTEXT! - Introduce it As it says on the slide. 3
What is context? ● Context is Key ● Definition of Context ○ “the circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood.” Understand the context. What is the context, what are you trying to achieve and what are the parameters that apply? Hopefully the next few slides answer this question. 4
Why apply context in the Cyber world? Cyber world A business is thinking of deploying a new IT system ● Where should they deploy? ● On premises or in the Cloud? So when applying cyber-risk you need to understand what the business is trying to achieve and how they might want to achieve it, which will then have an effect on the risks. Remember the equation from the first slide deck? R = V * L * I (R=Risk, V=Vulnerability, L=Likelihood and I=Impact) These will change based on the context. For example, if the location of the information stored on premises is on a fault line then the likelihood of a earthquake increases, this needs a context driven risk approach. Can you work out what 1001101000010 is? 5
Why apply context in the Sighbear world? Sighbear world The bear is thinking of going on holiday ● Where should they go? ● Somewhere cold or hot? So when Sighbear is thinking of going on holiday he applies a risk approach, you need to understand what the bear is trying to achieve (sun tan or adrenaline seeking) and how he wants to achieve it which will then have an effect on the risks. Remember the equation from the first slide deck? R = V * L * I (R=Risk, V=Vulnerability, L=Likelihood and I=Impact) These will change based on the context. For example if the holiday destination has a heightened likelihood of terrorist activity, or kidnap etc, these need context driven risk approaches. 6
Applying context in the Sighbear world? Hot holiday, have some shade. Cold holiday, why have some shade? So if the Sighbear goes on holiday to a hot destination (the context). R = (V = Bear’s fur) (L = Sun is hot) (I = Overheating / dehydration) “There is a risk that the sun will be hot leading to an impact of dehydration, due to thick fur which could be mitigated by staying in the shade”. The shade would be a risk management option under control (controls will be covered in later slide decks). If the Sighbear goes on holiday to a cold destination (a different context). What is the point of having some shade? This is why context is key/king (or queen or ….). Another context example. 7
The Sighbear is in the freezing North pole and could put on hat, gloves and scarf if it wants to go outside its warm igloo that has a fire, or it could just stay inside thus avoiding the risk of freezing. He might need to apply sun cream on both hot and cold holidays as the sun can burn even in cold climates.
Applying context in the Cyber world New IT system on premises - install CCTV, Locks, Security guards, etc New IT system in the cloud - apply countermeasures that the business is responsible for. So if the business wants to deploy to the cloud (the context) R = (V = mis-configuration) (L = hackers target the clouds) (I = information compromised) “There is a risk that the hackers will mount a successful attack leading to an impact of information being compromised. Due to the business not understanding it’s cloud responsibilities (i.e. exposing the database tier to the Internet with a simple guessable password). Which could be mitigated by reading and understanding the cloud responsibility model” The cloud responsibility model would be a risk management option under control (more information on controls (which is not the same as control option in Cyber-Risk management) / countermeasures will be covered in later slide decks). But if the business wants to deploy on premises (a different context) 9
What is the point of them understanding the cloud responsibility model if they are not using the cloud? This is why context is key/king Another context example R = (V = no physical security) (L = criminal) (I = information compromised) “There is a risk that a criminal will steal equipment leading to an impact of information compromise, due to the business not having any physical security controls for where the system is housed (i.e. doors without locks, etc) which could be mitigated by applying some physical controls” Some of the countermeasures that could be deployed are: ● Avoid - Put system in a hosting data centre (which will also have some transfer element to it) ● Control - Add locks to doors, CCTV, etc ● Accept - Hope a criminal does not target you ● Transfer - Contract a security firm to provide guards (as mentioned more information on countermeasures will be covered in later slide decks). Question? So if you have a computer on a desk in a secure office that is unlocked but there is CCTV, security guards, biometric access control on the doors etc (which is a really visible risk) vs a webserver on the Internet that has never been patched with no firewall (not as visible risk), which should you address and why? Answer Depends on the context; what is on the web server? Maybe it is a Honey Pot! Bonus Question? Why is the Sighbear at the job centre? Answer
Because under the cloud shared responsibility model the cloud provided takes care of the physical security (the risk from physical attacks has been transferred to them). And finally. There are some size 11 shoes for sale on the Internet - will they fit you? What size are you feet? Are these child size 11 or adult? So the context here might be which section of the online shop they are in, adult or children's.
Bear traps ● Think about scenarios but avoid the never ending ifs. ○ (if an attacker, got into the build and if that attacker had credentials and if they bypassed the biometrics, if………). Think of plausible scenarios, i.e. a user uses a weak guessable password, firewall allows all inbound (ingress) and outbound (egress) traffic. Try to avoid going down the if & if & if rabbit holes…... We often hear things like, If the attacker fakes a building pass, copies some biometric (jelly baby attack or Gummy Bear attack) https://www.theregister.co.uk/2002/05/16/gummi_bears_defeat _fingerprint_sensors/), pays the security guards, stands on one leg etc then they might just be able to compromise the asset. Context is Key, Context is King (or queen or ……...! 9
More Bear traps ● There is no such thing as one size fits all in Cyber risk. ○ The business does not need to employ a physical security guard for protecting the cloud. ● Tick/Checkbox exercise can lead to false sense of security. One size of countermeasures does not fit everything. Example one: Policy states a requirement to physically lock computing devices to a desk. Hard to do with a mobile phone or a server; it is all about context. Most likely servers are in a computer hall with different controls to a phone that might have a biometric lock and, as it states, it is mobile so you are likely to have it in your pocket/bag rather than left on a desk. Example two: Countermeasures to protect all data/information transmitted and stored must be encrypted with FIPS140-3. Lots of systems / products don’t support the FIPS (Federal Information Processing Standard) plus sometimes the no FIPS version maybe safer. (https://www.yubico.com/support/security-advisories/ysa-2019- 02/) 13
Often businesses will state they comply to a standard (ISO/IEC 27001) or framework (COBIT (Control Objectives for Information and Related Technologies)) but: 1. What is the scope / context of how they are applied? 2. Were all the countermeasures used or just those to support risk management? 3. Does anyone check the countermeasures? 4. Do they mean comply or are they certified against by an independent external audit? Context is Key, Context is King (or queen or ……...!
Summing up and what's coming next Summary - Hopefully this slide deck explains / shows why context is very important and why not to just apply all countermeasures everywhere. Coming soon - we will expand on the risk equation and countermeasures. Hopefully this slide speaks for itself? 11
Graphical representations Credit - @warmana Hopefully you get the pictures? 12
Context is vitally important for everyone…… Including security! Hopefully this does not need any speaker notes? 13
Credits If you have a cyber challenge, if no one else can help, and if you can find them, maybe you can hire the CiBears? https://twitter.com/sighbearuk Artwork by Claire Brown https://clairebrown.myportfolio.com Just in case you are too young to remember the A-Team? https://www.imdb.com/title/tt0084967/quotes “10 years ago a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government, they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can hire the A-Team.” The CiBears blatant rip-off 3 years ago a crack bear unit was sent to deepest darkest Peru by a UK court for a crime they didn't commit. These bears promptly escaped from a maximum security cage to the Cyber underground. Today, still wanted by the government (to help them), they survive as bears of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can 18
hire the CiBears.

Recommended

The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...United Security Providers AG
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
 
Cyber by-sighbear-1 1-notes
Cyber by-sighbear-1 1-notesCyber by-sighbear-1 1-notes
Cyber by-sighbear-1 1-notesSighbearuk
 
Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Dell World
 
Cloud migration risk
Cloud migration riskCloud migration risk
Cloud migration riskEdgevalue
 

Recommended

The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...United Security Providers AG
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
 
Cyber by-sighbear-1 1-notes
Cyber by-sighbear-1 1-notesCyber by-sighbear-1 1-notes
Cyber by-sighbear-1 1-notesSighbearuk
 
Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Dell World
 
Cloud migration risk
Cloud migration riskCloud migration risk
Cloud migration riskEdgevalue
 
Security in 10 slides
Security in 10 slidesSecurity in 10 slides
Security in 10 slidesAndre Debilloez
 
Enterprise Cloud Risk And Security
Enterprise Cloud Risk And SecurityEnterprise Cloud Risk And Security
Enterprise Cloud Risk And SecurityMark Masterson
 
Db2z bp security_transcript
Db2z bp security_transcriptDb2z bp security_transcript
Db2z bp security_transcriptCésar Medina Corona
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Navigating through the cloud SPUSC 2011 -Rob Livingstone Keynote
Navigating through the cloud SPUSC 2011 -Rob Livingstone KeynoteNavigating through the cloud SPUSC 2011 -Rob Livingstone Keynote
Navigating through the cloud SPUSC 2011 -Rob Livingstone KeynoteLivingstone Advisory
 
1. Write a four page paper discussing the effect of Globalization .docx
1. Write a four page paper discussing the effect of Globalization .docx1. Write a four page paper discussing the effect of Globalization .docx
1. Write a four page paper discussing the effect of Globalization .docxbraycarissa250
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysisCarlo Dapino
 
Will the Cloud be your disaster, or will Cloud be your disaster recovery?
Will the Cloud be your disaster, or will Cloud be your disaster recovery?Will the Cloud be your disaster, or will Cloud be your disaster recovery?
Will the Cloud be your disaster, or will Cloud be your disaster recovery?Livingstone Advisory
 
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...Symbiosis Group
 
Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Sylvain Martinez
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Private Cloud: Debunking Myths Preventing Adoption
Private Cloud: Debunking Myths Preventing AdoptionPrivate Cloud: Debunking Myths Preventing Adoption
Private Cloud: Debunking Myths Preventing AdoptionDana Gardner
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxwoodruffeloisa
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1William Kiss
 
Cloud computing: What you need to know as an Australian Finance Director
Cloud computing: What you need to know as an Australian Finance DirectorCloud computing: What you need to know as an Australian Finance Director
Cloud computing: What you need to know as an Australian Finance DirectorLivingstone Advisory
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Eturnti Consulting Pvt Ltd
 
Cyber security innovation imho v5
Cyber security innovation imho v5Cyber security innovation imho v5
Cyber security innovation imho v5W Fred Seigneur
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 

More Related Content

Similar to Cyber by-sighbear-context-1.0-notes

Enterprise Cloud Risk And Security
Enterprise Cloud Risk And SecurityEnterprise Cloud Risk And Security
Enterprise Cloud Risk And SecurityMark Masterson
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Navigating through the cloud SPUSC 2011 -Rob Livingstone Keynote
Navigating through the cloud SPUSC 2011 -Rob Livingstone KeynoteNavigating through the cloud SPUSC 2011 -Rob Livingstone Keynote
Navigating through the cloud SPUSC 2011 -Rob Livingstone KeynoteLivingstone Advisory
 
1. Write a four page paper discussing the effect of Globalization .docx
1. Write a four page paper discussing the effect of Globalization .docx1. Write a four page paper discussing the effect of Globalization .docx
1. Write a four page paper discussing the effect of Globalization .docxbraycarissa250
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysisCarlo Dapino
 
Will the Cloud be your disaster, or will Cloud be your disaster recovery?
Will the Cloud be your disaster, or will Cloud be your disaster recovery?Will the Cloud be your disaster, or will Cloud be your disaster recovery?
Will the Cloud be your disaster, or will Cloud be your disaster recovery?Livingstone Advisory
 
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...Symbiosis Group
 
Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Sylvain Martinez
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Private Cloud: Debunking Myths Preventing Adoption
Private Cloud: Debunking Myths Preventing AdoptionPrivate Cloud: Debunking Myths Preventing Adoption
Private Cloud: Debunking Myths Preventing AdoptionDana Gardner
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxwoodruffeloisa
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1William Kiss
 
Cloud computing: What you need to know as an Australian Finance Director
Cloud computing: What you need to know as an Australian Finance DirectorCloud computing: What you need to know as an Australian Finance Director
Cloud computing: What you need to know as an Australian Finance DirectorLivingstone Advisory
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Eturnti Consulting Pvt Ltd
 
Cyber security innovation imho v5
Cyber security innovation imho v5Cyber security innovation imho v5
Cyber security innovation imho v5W Fred Seigneur
 

Similar to Cyber by-sighbear-context-1.0-notes (20)

Security in 10 slides
Security in 10 slidesSecurity in 10 slides
Security in 10 slides
 
Enterprise Cloud Risk And Security
Enterprise Cloud Risk And SecurityEnterprise Cloud Risk And Security
Enterprise Cloud Risk And Security
 
Db2z bp security_transcript
Db2z bp security_transcriptDb2z bp security_transcript
Db2z bp security_transcript
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
Navigating through the cloud SPUSC 2011 -Rob Livingstone Keynote
Navigating through the cloud SPUSC 2011 -Rob Livingstone KeynoteNavigating through the cloud SPUSC 2011 -Rob Livingstone Keynote
Navigating through the cloud SPUSC 2011 -Rob Livingstone Keynote
 
1. Write a four page paper discussing the effect of Globalization .docx
1. Write a four page paper discussing the effect of Globalization .docx1. Write a four page paper discussing the effect of Globalization .docx
1. Write a four page paper discussing the effect of Globalization .docx
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
 
Will the Cloud be your disaster, or will Cloud be your disaster recovery?
Will the Cloud be your disaster, or will Cloud be your disaster recovery?Will the Cloud be your disaster, or will Cloud be your disaster recovery?
Will the Cloud be your disaster, or will Cloud be your disaster recovery?
 
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
 
Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Private Cloud: Debunking Myths Preventing Adoption
Private Cloud: Debunking Myths Preventing AdoptionPrivate Cloud: Debunking Myths Preventing Adoption
Private Cloud: Debunking Myths Preventing Adoption
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1
 
Cloud computing: What you need to know as an Australian Finance Director
Cloud computing: What you need to know as an Australian Finance DirectorCloud computing: What you need to know as an Australian Finance Director
Cloud computing: What you need to know as an Australian Finance Director
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
 
Cyber security innovation imho v5
Cyber security innovation imho v5Cyber security innovation imho v5
Cyber security innovation imho v5
 

Recently uploaded

Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 

Recently uploaded (20)

Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 

Cyber by-sighbear-context-1.0-notes

  • 1. Welcome to more Cyber by Sighbear in association with the CiBears. This slide deck expands on the initial story of Cybersecurity and continues the journey for those who wish to get into the industry and as a refresher to those already in the industry as to how and why we do Cyber Security. This is the second slide deck and there will be others that expand on the areas covered in this one and related areas. Cyber by Sighbear Context is Key What are the CiBears without context? V0.1 Draft
  • 2. The story so far ● In the first slide deck we covered Cyber & Risk. ● Then we joined the two together for Cyber-Risk. ● We used Cyber and CiBear world examples to help introduce a simple equation for risk assessment. ● The deck introduced each of the parts to the equation. ● It finally wrapped it up with risk management. ● If you have not seen part 1 or need a detailed refresher see https://www.sighbear.uk/Cyber-Education/ In the first slide deck we covered Cyber & Risk and definitions for them both. We joined Cyber and Risk together for Cyber-Risk. The deck then used Cyber and CiBear world scenarios whilst introducing a simple risk equation (R = V * L * I) for risk assessment. Then it introduced each of the parts to the equation, R=Risk, V=Vulnerability, L=Likelihood and I=Impact (which also covered assets and value). The deck finally wrapped it all up with risk management through the following approaches ● Avoid ● Control ● Accept ● Transfer 2
  • 3. The story today! CONTEXT! - Introduce it As it says on the slide. 3
  • 4. What is context? ● Context is Key ● Definition of Context ○ “the circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood.” Understand the context. What is the context, what are you trying to achieve and what are the parameters that apply? Hopefully the next few slides answer this question. 4
  • 5. Why apply context in the Cyber world? Cyber world A business is thinking of deploying a new IT system ● Where should they deploy? ● On premises or in the Cloud? So when applying cyber-risk you need to understand what the business is trying to achieve and how they might want to achieve it, which will then have an effect on the risks. Remember the equation from the first slide deck? R = V * L * I (R=Risk, V=Vulnerability, L=Likelihood and I=Impact) These will change based on the context. For example, if the location of the information stored on premises is on a fault line then the likelihood of a earthquake increases, this needs a context driven risk approach. Can you work out what 1001101000010 is? 5
  • 6. Why apply context in the Sighbear world? Sighbear world The bear is thinking of going on holiday ● Where should they go? ● Somewhere cold or hot? So when Sighbear is thinking of going on holiday he applies a risk approach, you need to understand what the bear is trying to achieve (sun tan or adrenaline seeking) and how he wants to achieve it which will then have an effect on the risks. Remember the equation from the first slide deck? R = V * L * I (R=Risk, V=Vulnerability, L=Likelihood and I=Impact) These will change based on the context. For example if the holiday destination has a heightened likelihood of terrorist activity, or kidnap etc, these need context driven risk approaches. 6
  • 7. Applying context in the Sighbear world? Hot holiday, have some shade. Cold holiday, why have some shade? So if the Sighbear goes on holiday to a hot destination (the context). R = (V = Bear’s fur) (L = Sun is hot) (I = Overheating / dehydration) “There is a risk that the sun will be hot leading to an impact of dehydration, due to thick fur which could be mitigated by staying in the shade”. The shade would be a risk management option under control (controls will be covered in later slide decks). If the Sighbear goes on holiday to a cold destination (a different context). What is the point of having some shade? This is why context is key/king (or queen or ….). Another context example. 7
  • 8. The Sighbear is in the freezing North pole and could put on hat, gloves and scarf if it wants to go outside its warm igloo that has a fire, or it could just stay inside thus avoiding the risk of freezing. He might need to apply sun cream on both hot and cold holidays as the sun can burn even in cold climates.
  • 9. Applying context in the Cyber world New IT system on premises - install CCTV, Locks, Security guards, etc New IT system in the cloud - apply countermeasures that the business is responsible for. So if the business wants to deploy to the cloud (the context) R = (V = mis-configuration) (L = hackers target the clouds) (I = information compromised) “There is a risk that the hackers will mount a successful attack leading to an impact of information being compromised. Due to the business not understanding it’s cloud responsibilities (i.e. exposing the database tier to the Internet with a simple guessable password). Which could be mitigated by reading and understanding the cloud responsibility model” The cloud responsibility model would be a risk management option under control (more information on controls (which is not the same as control option in Cyber-Risk management) / countermeasures will be covered in later slide decks). But if the business wants to deploy on premises (a different context) 9
  • 10. What is the point of them understanding the cloud responsibility model if they are not using the cloud? This is why context is key/king Another context example R = (V = no physical security) (L = criminal) (I = information compromised) “There is a risk that a criminal will steal equipment leading to an impact of information compromise, due to the business not having any physical security controls for where the system is housed (i.e. doors without locks, etc) which could be mitigated by applying some physical controls” Some of the countermeasures that could be deployed are: ● Avoid - Put system in a hosting data centre (which will also have some transfer element to it) ● Control - Add locks to doors, CCTV, etc ● Accept - Hope a criminal does not target you ● Transfer - Contract a security firm to provide guards (as mentioned more information on countermeasures will be covered in later slide decks). Question? So if you have a computer on a desk in a secure office that is unlocked but there is CCTV, security guards, biometric access control on the doors etc (which is a really visible risk) vs a webserver on the Internet that has never been patched with no firewall (not as visible risk), which should you address and why? Answer Depends on the context; what is on the web server? Maybe it is a Honey Pot! Bonus Question? Why is the Sighbear at the job centre? Answer
  • 11. Because under the cloud shared responsibility model the cloud provided takes care of the physical security (the risk from physical attacks has been transferred to them). And finally. There are some size 11 shoes for sale on the Internet - will they fit you? What size are you feet? Are these child size 11 or adult? So the context here might be which section of the online shop they are in, adult or children's.
  • 12. Bear traps ● Think about scenarios but avoid the never ending ifs. ○ (if an attacker, got into the build and if that attacker had credentials and if they bypassed the biometrics, if………). Think of plausible scenarios, i.e. a user uses a weak guessable password, firewall allows all inbound (ingress) and outbound (egress) traffic. Try to avoid going down the if & if & if rabbit holes…... We often hear things like, If the attacker fakes a building pass, copies some biometric (jelly baby attack or Gummy Bear attack) https://www.theregister.co.uk/2002/05/16/gummi_bears_defeat _fingerprint_sensors/), pays the security guards, stands on one leg etc then they might just be able to compromise the asset. Context is Key, Context is King (or queen or ……...! 9
  • 13. More Bear traps ● There is no such thing as one size fits all in Cyber risk. ○ The business does not need to employ a physical security guard for protecting the cloud. ● Tick/Checkbox exercise can lead to false sense of security. One size of countermeasures does not fit everything. Example one: Policy states a requirement to physically lock computing devices to a desk. Hard to do with a mobile phone or a server; it is all about context. Most likely servers are in a computer hall with different controls to a phone that might have a biometric lock and, as it states, it is mobile so you are likely to have it in your pocket/bag rather than left on a desk. Example two: Countermeasures to protect all data/information transmitted and stored must be encrypted with FIPS140-3. Lots of systems / products don’t support the FIPS (Federal Information Processing Standard) plus sometimes the no FIPS version maybe safer. (https://www.yubico.com/support/security-advisories/ysa-2019- 02/) 13
  • 14. Often businesses will state they comply to a standard (ISO/IEC 27001) or framework (COBIT (Control Objectives for Information and Related Technologies)) but: 1. What is the scope / context of how they are applied? 2. Were all the countermeasures used or just those to support risk management? 3. Does anyone check the countermeasures? 4. Do they mean comply or are they certified against by an independent external audit? Context is Key, Context is King (or queen or ……...!
  • 15. Summing up and what's coming next Summary - Hopefully this slide deck explains / shows why context is very important and why not to just apply all countermeasures everywhere. Coming soon - we will expand on the risk equation and countermeasures. Hopefully this slide speaks for itself? 11
  • 16. Graphical representations Credit - @warmana Hopefully you get the pictures? 12
  • 17. Context is vitally important for everyone…… Including security! Hopefully this does not need any speaker notes? 13
  • 18. Credits If you have a cyber challenge, if no one else can help, and if you can find them, maybe you can hire the CiBears? https://twitter.com/sighbearuk Artwork by Claire Brown https://clairebrown.myportfolio.com Just in case you are too young to remember the A-Team? https://www.imdb.com/title/tt0084967/quotes “10 years ago a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government, they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can hire the A-Team.” The CiBears blatant rip-off 3 years ago a crack bear unit was sent to deepest darkest Peru by a UK court for a crime they didn't commit. These bears promptly escaped from a maximum security cage to the Cyber underground. Today, still wanted by the government (to help them), they survive as bears of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can 18