Rischi o vulnerabilità?


Published on

Slide prepararate in poche ore per sopperire alla mancanza di un relatore al convegno All Security a Roma 2011

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Rischi o vulnerabilità?

  1. 1. Rischi o vulnerabilità?Alessio L.R. Pennasilico Roma, 7 Aprile 2011mayhem@alba.sttwitter: mayhemsppFaceBook: alessio.pennasilico
  2. 2. $ whois mayhem Security Evangelist @ Board of Directors: CLUSIT, Associazione Informatici Professionisti, Associazione Italiana Professionisti Sicurezza Informatica, Italian Linux Society, OpenBSD Italian User Group, Hacker’s Profiling Project Rischi o vulnerabilità? mayhem@alba.st 2
  3. 3. Credits Roger G. Johnston Vulnerability Assessment Team Nuclear Engineering Division Argonne National Laboratory http://jps.anl.gov/Volume4_iss2/Paper3-RGJohnston.pdf Rischi o vulnerabilità? mayhem@alba.st 3
  4. 4. Rischi o vulnerabilità?
  5. 5. Malware Threat: Adversaries might install malware in the computers in our Personnel Department so they can steal social security numbers for purposes of identity theft. Vulnerability:The computers in the Personnel Department do not have up to date virus definitions for their anti-malware software. Rischi o vulnerabilità? mayhem@alba.st 5
  6. 6. Ladri Threat: Thieves could break into our facility and steal our equipment. Vulnerability: The lock we are using on the building doors is easy to pick or bump. Rischi o vulnerabilità? mayhem@alba.st 6
  7. 7. Social Engineering Threat: Nefarious insiders might release confidential information to adversaries. Vulnerability: Employees don’t currently have a good understanding of what information is sensitive/confidential and what is not, so they can’t do a good job of protecting it. Rischi o vulnerabilità? mayhem@alba.st 7
  8. 8. Myth #1 “a Threat without a mitigation is a Vulnerability” makes no sense because (a) a Threat is not a Vulnerability (b) security is a continuum and 100% elimination of a Vulnerability is rarely possible (c) adversaries may not automatically recognize a Vulnerability so mitigating it may be irrelevant for that specific Threat Rischi o vulnerabilità? mayhem@alba.st 8
  9. 9. Myth #2 “Threats are more important than Vulnerabilities” we need to consider that a TA involves mostly speculating about people who are not in front of us, and who might not even exist, but who have complex motivations, goals, mindsets, and resources if they do exist. Vulnerabilities are more concrete and right in front of us (if we’re clever and imaginative enough to see them). They are discovered by doing an analysis of actual infrastructure and its security—not speculating about people. Rischi o vulnerabilità? mayhem@alba.st 9
  10. 10. Passato vs Futuro Some people claim that past security incidents can tell us all we need to know about Threats, but that is just being reactive, not proactive, and misses rare but very catastrophic attacks. Rischi o vulnerabilità? mayhem@alba.st 10
  11. 11. If you understand and take some reasonable effort to mitigate your security Vulnerabilities, you are probably in fairly good shape regardless of the ThreatsRischi o vulnerabilità? mayhem@alba.st 11
  12. 12. if you understand the Threats but are ignorant of the Vulnerabilities, you are not likely to be very secure because the adversaries will have many different ways in.Rischi o vulnerabilità? mayhem@alba.st 12
  13. 13. Cognitive Biases
  14. 14. Optimism Bias the demonstrated systematic tendency for people to be over-optimistic about the outcome of planned actions. This includes over-estimating the likelihood of positive events and under-estimating the likelihood of negative events. It is one of several kinds of positive illusion to which people are generally susceptible. Rischi o vulnerabilità? mayhem@alba.st 14
  15. 15. Optimism Bias Optimistic overconfidence bias can induce people to underinvest in primary and preventive care and other risk-reducing behaviors. Rischi o vulnerabilità? mayhem@alba.st 15
  16. 16. A brain-imaging study found that, when imagining negative future events, signals in the amygdala, an emotion centre of the brain, are weaker than when remembering past negative events. This weakened consideration of possible negative outcomes is one possible mechanism for optimism bias.Rischi o vulnerabilità? mayhem@alba.st 16
  17. 17. Heuristic experience-based techniques that help in problem solving, learning and discovery "rule of thumb", an educated guess, an intuitive judgment or simply common sense Rischi o vulnerabilità? mayhem@alba.st 17
  18. 18. Availability heuristic estimating what is more likely by what is more available in memory, which is biased toward vivid, unusual, or emotionally charged examples Rischi o vulnerabilità? mayhem@alba.st 18
  19. 19. Representativeness heuristic judging probabilities on the basis of resemblance Rischi o vulnerabilità? mayhem@alba.st 19
  20. 20. Affect heuristic basing a decision on an emotional reaction rather than a calculation of risks and benefits Rischi o vulnerabilità? mayhem@alba.st 20
  21. 21. Donald Norman Rischi o vulnerabilità? mayhem@alba.st 21
  22. 22. Conclusioni
  23. 23. Conclusioni Ci dobbiamo occupare delle minacce Ci dobbiamo occupare delle vulnerabilità Rischi o vulnerabilità? mayhem@alba.st 23
  24. 24. Conclusioni Siamo umani, possiamo sbagliare Tentare di gestire le cause di errore di valutazione aiuta Rischi o vulnerabilità? mayhem@alba.st 24
  25. 25. These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :) Domande? Grazie per l’attenzione!Alessio L.R. Pennasilico Roma, 7 Aprile 2011mayhem@alba.sttwitter: mayhemsppFaceBook: alessio.pennasilico