Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Управление рисками: как перестать верить в иллюзии


Published on

Поставщики GRC-решений подают формальное соответствие как обязательный этап на пути к оценке рисков. Докладчик расскажет о недостатках таких решений, о том, что на самом деле требуется вместо них и как разумно применять существующие недорогие и перспективные решения для управления уязвимостями.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Управление рисками: как перестать верить в иллюзии

  2. 2. WHOARE WE
  3. 3. Well, almost Glanc, ltd, Bulgaria, Information Security consulting, one man company. Almost. # whoami You don’t exist, go away! # Who am i
  5. 5. WHAT GRC VENDORS WANT YOU TO THINK ABOUT HOW INFOSEC WORKS (And why it is utter bullshit) (Yes, this slide is so disgusting I cannot resist to include it in all my conference talks)
  6. 6. How Infosec really works • It’s all about risk and nothing else; • If you think there is anything else, there must be either some misunderstanding or miscommunication; • You do risk management even if you think you do not.
  7. 7. Compliance and risk • Risk management is not a part of compliance requirements. Compliance risks are similar to any other; • Don’t expect things that someone else (partners, investors, regulatory body) needs from you to work well for your benefit.
  8. 8. DID and Poverty If you do not have risks understood and communicated, everyone does his own risk management and your company suffers from Dissociative Identity Disorder (it happens anyway, but there still is a difference). If you cannot justify your spending, you get budget cuts and suffer from poverty.
  9. 9. Personal risk model • Risk for my life; • Risk for my career; • Risk for my job; • Risk for my bonus; • Everyone else’s problems. First two are history, third one will be soon.
  10. 10. Personal risk matrix Low probability Medium probability High probability Loss of Job Could try Better don’t but Hell, NO! Loss of Bonus That’s ok Could try Better don’t but Everyone else’s problems That’s ok That’s ok That’s ok
  11. 11. A Salesperson’s Case — Your documents won’t open! My antivirus does not let me do it! — Which one? — [vendor name here] — Get a new archive, here we go
  12. 12. A Salesperson’s Case Risk model — salesperson view First option: circumvent security procedures, but have a chance to close the deal. Positive outcome: $50K bonus, 90%. Negative outcome: loss of a job, $100K personal impact. If I get caught. Second option: no pain — no gain.
  13. 13. A Salesperson’s Case Risk model — CISO’s view First option: Positive outcome: negligible, 50% (salesman was too optimistic). Negative outcome: loss of a bonus, company suffers from major breach. Second option: salesperson will be angry on me.
  14. 14. Poverty: The Vendor Trap (whybeinglow on budgetsucks) • If you live below the Information Security poverty line, it means all IS industry works for wealthy people somewhere else, not for you; • Vendors are not interested in creating affordable solutions while their position in luxury segment is secure; • Scaremongering FTW!
  15. 15. “Best practices” aren’t. • Not best (full of outdated and crazy stuff); • Not practical (being fully compliant is stupid waste of resources, and partial compliance does not provide any benefit); • Easy to fall to “vendor-driven” security.
  17. 17. Why it is hard • “Best practices” imply you have organization-wide (almost) perfectly working patch management; • “Periodic scans” are invented to see gaps in that process; • Well, you have gaps. A lot of gaps. Now what?
  18. 18. What is risk (fromCapt.Obvious) Loss magnitude (LM) Loss event frequency (LEF) R = LM * LEF, that’s it.
  19. 19. What does your vulnerability scan tell you? Next to nothing. “Severity” slightly correlates with LEF. Challenges: 1. You have more than you can eat; 2. IP address is not an asset; 3. CVSS score is not a risk; 4. Your quarterly (and weekly, too) scan is already outdated.
  20. 20. Typical poor man’s pitfall • Short list of critical systems; • Exposed to outside world; • Everything else is “later”; A moderately sophisticated attacker may maintain presence for months and years. Note that methodology is correct, but there are gaps that make it fail.
  21. 21. Putting vulnerability in context • To estimate loss magnitude (asset management task); • To estimate loss event frequency; • To make sure your data are not obsolete.
  22. 22. Asset management Does not need to be expensive. Be creative with your data sources! • Monitoring systems; • Software inventory; • Hostname regexps; • AD entries; • Existing compliance scopes (duh); • anything that comes in mind.
  23. 23. Vulnerability ranking CVSS sucks. Even CVSSv3 sucks. Ask a pen tester. What matters is: • Exposure • Exploit capabilities Both are hard, but doable.
  24. 24. Exposure/LEF estimation No need for Skybox-like fancy staff (it is not as reliable as one might think anyway). • Create reasonable scopes that fit your network segmentation; • No attack graphs — just direct neighbourhood: watch for RCEs; • Use IDS/SIEM data; • You probably underestimate your LAN exposure (not necessary).
  25. 25. Closing scanning gaps When your vulnerability scanner is too slow, try doing that without scanner. Vulners to find new bugs in known software ARP tables to find new computers nmap|diff AWS will do a lot of interesting things for you, too. Get a smaller scope and rescan!
  26. 26. Questions?