Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social-Engineer Your Security Budget

361 views

Published on

My slides from UISGCON14 talk. Original video in Ukrainian: https://www.youtube.com/watch?v=7Mvhf_eAQks

Published in: Spiritual
  • Be the first to comment

Social-Engineer Your Security Budget

  1. 1. Social-Engineer Your Security Budget Vlad Styran
  2. 2. Good afternoon. I’m Vlad
  3. 3. Plan 1. Rationale 2. Economics 3. Social Engineering 4. Influence
  4. 4. Part 1 Rationale for security budget
  5. 5. Ra#onale for security budget Expectations Corporate governance Risk management Market and government regulations
  6. 6. Rationale for security budget Reality Audit reports Security incidents Vendor pitches ”CEO have read a book” ©
  7. 7. IT (security) budge1ng process Expectations 1. Conduct a risk assessment 2. Quantify expected losses 3. Agree on risk appetite 4. Plan the controls 5. Implement the controls 6. Maintain the controls 7. Measure the controls
  8. 8. IT (security) budgeting process Reality 1. Plan the budget 2. Present the budget 3. Divide the budget in half 4. Defend the budget 5. Divide the budget in half 6. Get the budget approval 7. Try not to cry in public
  9. 9. Why IT budgets are cut?
  10. 10. But if it only worked… Expecta(ons Corporate governance Risk management Market and government regulations Reality IndustrialControlSystemsHealthcheck
  11. 11. Part 2 Cyber security economics
  12. 12. Cyber security economics Market challenges: Information asymmetry* Invisibility of prevented loss Lack of incidents disclosure Poor regulation _ * George Akerlof - The Market for Lemons
  13. 13. Why corporate security (normally) sucks “Best prac+ce” driven determinis+c approach The promised land of “Management commitment” Obsession with formal authority
  14. 14. “Best practice” vs Real security “Best prac+ce” security: Determinis+c & control-centric “When in doubt, look into the standard” © Security against liability Compliance ❤"#$ Delft University of Technology – Cyber Security Economics 101
  15. 15. “Best practice” vs Real security The Real security: Direct business impact Security for business Indirect business impact Security for customers Support of business strategy Security against customers Delft University of Technology – Cyber Security Economics 101
  16. 16. Management commitment Expecta(on ISO-IEC 27001 – 5.1 Management commitment Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: … d) communicating to the organization the importance of …; e) providing sufficient resources to …; …
  17. 17. Management commitment Expectation ISO-IEC 27001 – 5.1 Management commitment Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: … d) communicating to the organization the importance of …; e) providing sufficient resources to …; … Reality
  18. 18. Obsession with authority Expectation CISO reports to CEO or directly to the Board of Directors ImagecourtesyofUSANetwork
  19. 19. Obsession with authority Reality “CISO” reports to the highest- ranking executive who knows what is the difference between a firewall and an antivirus ImagecourtesyofSca?Adamsh?p://dilbert.com
  20. 20. Cyber security business Paper tigers Blinking boxes Feynman threat Do it yourself attitude Evolution of “fair price”
  21. 21. Part 3 Social engineering
  22. 22. Social Engineering vs Human Hacking, Neurohacking and other bullsh1t
  23. 23. How it works
  24. 24. How it works
  25. 25. How it works
  26. 26. Plan A: let’s save 200 people! • All 600 will survive with P=33% • None will survive with P=66% Plan B: 400 people will die… • No one will die with P=33% • Everyone will die with P=66% Scenario: a virus outbreak is expected to kill 600 people. We have two treatment plans to choose from. Tversky, Amos; Kahneman, Daniel (1981). "The Framing of decisions and the psychology of choice". Science 211 (4481): 453–458. How it works 78% 22%
  27. 27. Part 4 Influence strategy, tactics and ops
  28. 28. Influence strategy Formal power Expert power Social power
  29. 29. Formal power
  30. 30. Expert power An expert is a man who has made all the mistakes which can be made, in a narrow field. --Niels Bohr
  31. 31. Expert power An expert is a human who has made all the mistakes which can be made, in a narrow field. --Niels Bohr
  32. 32. Expert power Open Design Least Privilege Fail-Safe Defaults Defense in Depth Complete Mediation Separation of Privilege Economy of Mechanism Secure Weakest Link First Psychological Acceptability Least Common Mechanism Ross Anderson – Security Engineering
  33. 33. Social power University of Michigan – Influencing People
  34. 34. Social power University of Michigan – Influencing People
  35. 35. Social power Cultivating Compassionate Tech Communities - April Wensel - AnxietyTech 2018
  36. 36. Influence tactics Behavioral economics Social psychology Neuroscience Robert Cialdini – Influence
  37. 37. Influence ops Oren Klaff – Pitch Anything
  38. 38. Step 1: Introduction of self Define yourself via your background and brief history Name top-3 or top-2 cool things you did professionally State the purpose of your pitch
  39. 39. Step 2: The “Why now?” frame Recent changes by economic, social, and technological forces: factual and external to the company Backstory of the idea: important changes in the business, forecast of trends, impact on cost and demand, and the opening window of opportunity
  40. 40. Step 3: Idea introduc1on pa2ern “For [the beneficiary], Who are dissatisfied with [the current situation], My proposed idea/product/project is a [new thing], That provides [key problem-solving solution], Unlike [the alternative(s)]. My idea/product/project/solution is: [describe key features]”
  41. 41. Good evening. I’m Vlad
  42. 42. I spent 16 years in IT infrastructure, Information Security Management, IT Audit, Application Security, and Security consulting for the largest banking, telecom, software development and professional services companies in Ukraine.
  43. 43. I am one of the ”founding fathers” of UISG, co-founder of OWASP Kyiv, NoNameCon security conference, and my own consulCng company Berezha Security.
  44. 44. Today I am here to help you secure adequate budget for your cyber security program.
  45. 45. All of you are aware of 1. increase in frequency and financial impact of cyber attacks, 2. strengthening of government and market regulations, 3. and inability of traditional IT security solutions to thwart the permanent threat of state-sponsored hacking backed by Russia. In the face of 1. poor InfoSec market conditions that will not improve in the nearest future, 2. and the inevitable period of increased geopolitical tension caused by the upcoming presidential elections; You shall not miss the opportunity to secure the funding required to implement adequate safeguards as soon as possible.
  46. 46. For your security organiza0on, that is poorly funded in line with “tradi0onal” corporate budge0ng process that creates a disbalance of es0mated goals and assigned costs, my proposed method is a tool for leveraging natural human features, beliefs, and aspira0ons, that provides tangible percep0on of “fair amount” of cyber security spending to all stakeholders, unlike the tradi0onal “risk assessment” approach that is inherently prone to error and doesn’t fully cover the ever- changing threat landscape.
  47. 47. My proposed method uses current body of knowledge in psychology, social sciences, and cyber security economics to help security leaders • obtain necessary resources, • deal with cyber security market challenges, • build and maintain influence power in the organization, • and take well-deserved place in the business hierarchy.
  48. 48. How to find me sapran@pm.me https://fb.me/vstyran @arunninghacker
  49. 49. References George Akerlof - The Market for Lemons Del6 University of Technology – Cyber Security Economics 101 Ross Anderson – Security Engineering University of Michigan – Influencing People Robert Cialdini – Influence Oren Klaff – Pitch Anything CulMvaMng Compassionate Tech CommuniMes - April Wensel - AnxietyTech 2018
  50. 50. Recommendations Introduction to Psychology, University of Toronto Christopher Hadnagy, Social Engineering: The Art of Human Hacking 1st Edition Robert B. Cialdini, Influence: The Psychology of Persuasion, Revised Edition Dan Arieli, Predictably Irrational, Revised and Expanded Edition: The Hidden Forces That Shape Our Decisions Social Engineer Podcast

×