Online threats against web applications are growing at an exponential rate and is estimated to continue to grow in the coming years. Higher education finds itself in a precarious position trying to balance the need to provide services like external websites to it's various business units, while working to stay ahead of such threats. This is further exasperated by the adoption and deployment of open-source CMS applications like WordPress and Drupal.
In this talk, I explore the latest tactics, techniques and procedures being employed by cyber criminals, their threats to Higher Education institutions and provide a security framework from which organizations can expand on within their own organizations.
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
As an industry of service providers we have a greater responsibility to the larger internet security ecosystem. We rely on off setting security ownership to our customers, but in many ways we're the responsible ones. We're also the ones best suited to help solve the problem. In this talk I try to broach the subject of responsibility by looking at the real challenge we're faced with - human behavior.
Building a Security Framework for WebsitesTony Perez
We live in an age where the threats against our website are real, and their impacts have the potential to be devastating. As open-source CMS applications continue to become a staple in our infrastructure stack, organizations are faced with the challenges of accounting for this new attack vector. With limited resources and knowledge, organization need a streamlined approach to managing their websites. In the talk below I share some thoughts on how to think about security more holistically by thinking through an attackers TTPs and using that to help build a repeatable framework applicable to all website owners, regardless of organization size.
The year is 2015, there are a little over a billion websites online, they range in size, complexity and popularity and yet they all share a common denominator – the threat of a security incident.
The past two years have been especially challenging for most businesses; this talk will provide a holistic overview of the challenges and threats website owners face. These insights will come from years of research and analysis, but more importantly from the experiences of 100’s of thousands of website owners like you. We will share the latest threats website owners face, but deliver them in a meaningful way that provides each attendee actionable take-aways. Lastly, the talk will place emphasis on the responsibility that each of us have as online stewards, to our brand, our users and the internet as a whole.
The most effective toolset we have at our disposal is knowledge, and so this presentation focuses on education.
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
Business is complex, and it undoubtedly depends on people to be successful. Whether engineers, support agents, marketing, etc.. The dynamics of managing people, while fulfilling, can be very complex. In this presentation I touch on a number of things we've learned at Sucuri as we've grown from a small team to one that is distributed around the world in 20 different countries.
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
As an industry of service providers we have a greater responsibility to the larger internet security ecosystem. We rely on off setting security ownership to our customers, but in many ways we're the responsible ones. We're also the ones best suited to help solve the problem. In this talk I try to broach the subject of responsibility by looking at the real challenge we're faced with - human behavior.
Building a Security Framework for WebsitesTony Perez
We live in an age where the threats against our website are real, and their impacts have the potential to be devastating. As open-source CMS applications continue to become a staple in our infrastructure stack, organizations are faced with the challenges of accounting for this new attack vector. With limited resources and knowledge, organization need a streamlined approach to managing their websites. In the talk below I share some thoughts on how to think about security more holistically by thinking through an attackers TTPs and using that to help build a repeatable framework applicable to all website owners, regardless of organization size.
The year is 2015, there are a little over a billion websites online, they range in size, complexity and popularity and yet they all share a common denominator – the threat of a security incident.
The past two years have been especially challenging for most businesses; this talk will provide a holistic overview of the challenges and threats website owners face. These insights will come from years of research and analysis, but more importantly from the experiences of 100’s of thousands of website owners like you. We will share the latest threats website owners face, but deliver them in a meaningful way that provides each attendee actionable take-aways. Lastly, the talk will place emphasis on the responsibility that each of us have as online stewards, to our brand, our users and the internet as a whole.
The most effective toolset we have at our disposal is knowledge, and so this presentation focuses on education.
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
Business is complex, and it undoubtedly depends on people to be successful. Whether engineers, support agents, marketing, etc.. The dynamics of managing people, while fulfilling, can be very complex. In this presentation I touch on a number of things we've learned at Sucuri as we've grown from a small team to one that is distributed around the world in 20 different countries.
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
This presentation focuses on three elements - Trends, Threats and Defenses. It leverages the latests data from some of the top Information Security companies out there (i.e., Symantec, Websense, etc..). It does not go over the typical 10 things, instead it focuses on broad Information Security concepts and principles that many website owners don't account for.
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
There are many posts, links, sources for website security, we unfortunately look over the basics as if somehow it were no longer important. The fact of the matter is that the basics will often save website owners a lot of headaches. This presentation hopes to go back to the basics and provide a foundation from which all website owners, specifically Joomla ones, can build from. A lot of the concepts though are applicable across all platforms and can found to be very platform agnostic.
For more information contact us at http://sucuri.net
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
This presentation focuses on three elements - Trends, Threats and Defenses. It leverages the latests data from some of the top Information Security companies out there (i.e., Symantec, Websense, etc..). It does not go over the typical 10 things, instead it focuses on broad Information Security concepts and principles that many website owners don't account for.
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
There are many posts, links, sources for website security, we unfortunately look over the basics as if somehow it were no longer important. The fact of the matter is that the basics will often save website owners a lot of headaches. This presentation hopes to go back to the basics and provide a foundation from which all website owners, specifically Joomla ones, can build from. A lot of the concepts though are applicable across all platforms and can found to be very platform agnostic.
For more information contact us at http://sucuri.net
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
My name is Tony Perez, perezbox online, and I am the Co-Founder / CEO of Sucuri.
Sucuri is a website security company that specializes in incident response services and cloud-based hack prevention.
For those unfamiliar, Sucuri is a website security company that specializes in post-hack incident response services and cloud-based hack prevention. In other words, we clean infected websites and work hard to keep hackers out.
We’ve worked with a number of organizations in this room, assisting in a number of post-compromise incident response services as well as deployment of solutions to provide better visibility and prevention.
I will use that experience to hopefully provide better context around today’s threats and to hopefully offer you a way to think about and account for website security.
This discussion will be divided into three key domains..
We’ll take a journey into the Why… why does this website security even matter to me? …
we’ll progress into the what.. What are these cybercriminals doing in our environments..
And finally, we’ll end with what I hope is a very practical approach on how to think about and account for security within your respective institution regardless of size..
To achieve this I will leverage a concept known as Defense in Depth… A principle that has been around milleniums with the first signs of it’s implementation dating back to the second Punic Wars (216 B.C)
The InfoSec community eagerly adopted the principle as the best and most practical approach to accounting for the evolution of cyber attacks over the years.
The premise of the ideology is based on one very simple principle: There is no single solution capable of protecting any environment 100%.
And so to combat this we employed this idea of layered defenses, in which we deploy multiple defensive mechanisms, all that have overlapping features, and that complement each other. In the hopes if one fails, the other will pick up the slack.
On a quick note, here is the blue print of the first ever castle dating back to 1295 which illustrates the how a defense in depth strategy was employed.
You can see the moat that was designed to keep the attacker from breaching the walls. You can see the multiple walls and towers were they were would have spotters and you would see how access would be controlled.
Things to consider..
A good defense in depth strategy looks at not only the depth of the defensive controls, but also takes into consideration the breadth of the attack surface and the differing tools across the stack.
This approach provides you a more complete picture of today’s threat landscape. It clearly illustrates that security extends well beyond the application or its extensible components.
The goal with this strategy is to employ a more holistic approach to website security
Website security is but a very small piece of the security ecosystem for any organization though…
it’s often overlooked and under staffed… In fact, in many ways website security is likely the most under values sec domain within most organization, not just education.
Those responsible for it’s maintenance are often the marketing / communication person who drew the shortest straw or was voluntold to add a new job to their, role, but don’t worry it’ll only take 10% of your time…
The teams that do exist lack funding, skills and knowledge on where to even start and there in lies the problem...
In higher education you can boil down the network security requirements down to three distinct business functions.. Each one today has not only to worry about internal network and device issues… but each has it’s own external web presence that connects the network with the rest of the internet...
In fact, in a SANS study of the higher education space in 2014, they found that 64% of the security respondents they surveyed were concerned not only about their end point devices, but equally shared concern with their web applications.
This should be no surprise taking into consideration the decentralized nature higher education networks. Educational institutions were built on the idea of trust. They are open and diverse environments that encourage a collaborative environments.
They are all the qualities that make it extraordinarily difficult to defend.
This ideology is also problematic in that bleeds into them be early adopters of technologies that also share that mindset.
We can see take place in the adoption of open-source technologies… Today, the open-source craze in full effect in all organizations… it’s especially true in the web ecosystem, from adoption of open-source web servers (Apache, NGINX) to the adoption of technologies like open-source CMS applications like WordPress, Joomla! And Drupal..
While it’s impossible for me to guestimate how many of you are using / deploying these technologies I’d venture to say more than ¾ of you in this room have some charter to manage, deploy and make available some variation of one of these technologies to your various business units..
Which is deployed is likely heavily dependent on the in-house skills you have at your disposal.
The on feature that resonates with higher ed when it comes to open-source is that it’s the right price tag - “Free”
But we have to remember that Free does not mean Free of effort or labor or responsibility.
********* This is a re-designed version of the previous slide. Felt like the clipboard didn’t properly represent “a process”. Maybe the “timeline” does a better job of that?
The same SANS study from 2014 found that 64% of the security teams surveyed believed they required up to 5 FTE’s, but 43% of had 1 FTE or less.. Note that this survey was not done specifically for website security, but for all of security pertaining to their schools.. This is the dire state higher education finds itself…
This will undeniably come to a head as it has in so many industries in the past. In fact, in 2015 educational institutions finally had enough security incidents to make it into the Symantec Internet Security Threat Report, ranking #6 in terms of frequency of exploits against it’s websites..
As for what they are after? It’s a simpler, I boil it down to four things in higher education:
Valuable information - Personal Identifiable Information (PII), Personal Health Information (PHI) , Intellectual Property (IP), Research, and other sensitive information
Powerful Infrastructure - servers, network bandwidth and availability, power
Search Ranking - extremely attractive. Blacklinks from TLD sites of .edu are highly coveted. They’re given special treatment by search engines forgoing some of the controls that private organizations are restricted to. When a link is coming from a high-trust source like universities Google seems to overlook factors like domain or page relevancy, title or other on page SEO elements.
Audience - the user base is rich in terms of targets for drive by download targets, from businesses, government organizations to students
They achieve their goals through one of these five actions on objective:
Data Breach - in line with valuable information, perhaps the most expected compromise is likely is data exfiltration. A study was actually performed in 2014 by the EDUCAUSE Higher Education Information Security Council (HEISC) in which, using data provided by the Privacy Rights Clearinghouse (PRC) they found that while the education industry does have a larger number of reported breaches, they also have fewer records exposed. This doesn’t preclude the responsibility we have to ensure the safekeeping of our data, but does talk to the effectiveness of the controls being put in place.
Search Engine Poisoning - Just a few weeks ago eTraffic ( a web marketing company) shed light on a huge backlink campaign affecting 76 Universities, including a few Ivy League skills in which attackers were able to systematically compromise their website and inject anchor links throughout the content of their sites allowing them to create very valuable backlinks to their website of choice (which happened to be a gambling site that they were an affiliate for). This however is but one example, other forms of campaigns include spam injections right into the content, and redirects in search engines to their properties of choice.
Defacements - While as a whole we see a decrease in defacements as a whole, perhaps the one industry, second probably only to the government, most affected by defacements is higher education. Brought about my hacktivism to promote social or political position.
Malware Distribution - Educational website, especially research groups, make great targets for waterhole attacks to leapfrog into larger enterprises. In water hole attacks cyber criminals interested in a target might target a website that their specific audience might be interested in (think research groups) and by infiltrating one of those properties, they’re able to indirectly attack an organization by adversely affecting the visitor through some form of “drive-by-download” attack.
Botnet Inclusion - One evolution we continue to observe by attackers are attacks whose action on objective is not the exfiltration of data, distribution of malware or maliciously abusing ranking authority. Instead, it’s their desire to bolster their network capabilities to be used in other larger scale attacks and they achieve this by targeting the infrastructure itself.
Fun little fact, higher education ranks as one of the top industries for data breaches. They are second only to the medical industry. Interesting enough however, a study by EDUCASE Center for Analysis and Research found that while historical data showed that education institutions seemed to have a larger number of reported breaches, they also had fewer actual records exposed.
Attackers are able to compromise our environments by making use of two types of attacks:
External Attacks:
Brute Force Attempts
Exploitation of Software Vulnerabilities
Security Misconfiguration
Internal Attacks:
Cross-Site Contamination
Server / Infrastructure Misconfiguration
The leading contributing attack vector today continues to come from software vulnerabilities being remotely exploited.
To help combat this we have to have better conversations around vulnerability / patch management and we need to:
1 - look to implement some form of prioritization system
2 - leverage tools that allow us to virtually patch without affecting production environments
Perhaps the great injustice we’re doing to ourselves telling everyone to “just update” … If it was that easy to do, people would be doing it.
Most people in here can’t update their phones, let alone their desktops, let alone their websites. This is not to say that updates are not valuable, the contrary.. They are… but there has to be a better way to apply them when they’re made available. They also only address “known knowns”
So how do we account for this? Understanding our challenges, where do we go from here?
The first step, as introduced earlier, our websites are part of a complex ecosystem and complex things break in complex ways…
We need to look at the entire attack surface we’re working with and recognize the areas that affect our application and identify the people that are responsible for each…
Every one of these domains creates what is known as the security chain.. In security we’re only as strong as the weakest link in the chain…
We can also look to understand the anatomy of today’s web attacks by spending some time better understanding how attackers perform the attacks themselves. The best illustration of this can be seen in the Lockheed martin kill chain model in which they illustrate the different phases and attacker goes through when attacking an environment.
Although originally built for enterprise networks, this model an be adjusted and applied to the website environment as well…
The only problem with the LM Kill Chain model is that it proposes the idea that by identifying an intrusion earlier in the process you’re able to effectively mitigate a compromise.
It is built on the assumption that the attacker works linearly through this flow, but that’s not true when working with external web properties. Because of the technologies at our disposal attackers are able to skip steps through the life cycle.
We propose that each phase can definitely be used to develop a plan to implement different controls designed to account for each phase, but don’t think of it as a singular event. Instead, we have to be looking at the entire lifecycle and have controls along the entire process.
*** HACKERS WERE BLINDLY ATTACKIN WEBSITES. BLINDFOLDED BOXER / BLINDFOLDED BOMB / HACKER ICON WITH BLINDFOLD
A perfect example is to look at the RevSlider vulnerability, a plugin in WordPress, or Drupalgeddon, a SQLi vulnerability in Drupal core. Two platforms that many in this room are likely intimately familiar with.
Revslider alone has seen 100’s of thousands of websites compromised since its disclosure in 2014.
Drupalgeddon on the other hand is probably one of the more severe vulnerabilities in recent history affecting any of the core open-source platforms - WordPress, Joomla, Magento, Drupal.
In either case, when these vulnerabilities went into the wild we noticed two types of attacks.
In some instances, attackers were scanning looking for sites, associated with Phase 1 of the model, but in most instances the attackers jumped right into Phase 4 (exploitation) and instead of looking to see which platforms were being used, just immediately commenced with exploitation attempts.
If it was successful, great! If not, no harm no foul.
There are of course other contributing factors I believe contribute to the challenges we’ve discussing… based on my own observations working with other institutions such as many in this room:
There is no centralized management of external websites
The configuration / change control processes are too stringent not accounting for high severity issues.
There is no visibility into what external sites exist actually exist
There is no ownership on the site
This shouldn’t be a surprise to many here, and it doesn’t begin to look at the challenges around qualified personnel or money. But it highlights some interesting areas that I think can definitely be improved upon.
Most organizations we work with website security is an afterthought, and I want to try and change that… one way is to provide you a simple, repeatable framework that you can adjust to your liking..
To achieve this, I’ll leverage concepts by NIST and adjust them for our own purpose…
The basis of the framework, along with many aspects of security is Risk.. Specifically Risk Management..
Risk management is an ongoing process of identifying, assessing and responding to risk. To achieve this, an organization must understand the likelihood of an event occurring and the impacts if it does.
On a side note… here have been the regulation drivers defining risk to assets and asset criticality for PII as defined in the same SANS 2014 higher education study of security professionals
For example:
Assume I have built a student portal using an open-source technology like Drupal. I have a stringent change control process for pushing and updating things in production (including security updates).
A potential risk might be the release of a vulnerability that I’m unable to patch in a timely manner.
The likelihood of this event coming to fruition is high based on the state of today’s online threats and the impacts could be devastating if a bad actor was able to gain access to sensitive customer data.
A classic example of this use case can be seen with Drupalgeddon in 2014
Every organization is responsible for identifying and aligning the risk with criticality within their own organization business objectives. In short, it’s on each organization to build and identify their own risk tolerance. This can be as high or as low as you want to make it and there are a number of documents available to help you in the process.
Additionally we have to spend a few minutes talking about Goals…
As an organization what are you looking to achieve? Your goals will help dictate the paths you take and also help prioritize...
What are your goals with security?
What are we looking to do?
Whatever they are, they too are a continuous process and must be expanded upon. As you move down the list, you don’t forget about them, but instead they become part of your sustainment process while you expand the list with new goals to address.
By breaking the process into small manageable pieces you’re able to make better progress to improve your overall security posture.
The framework NIST proposes, and the one I think we can leverage is divided into five functions, categories, subcategories and informative references.
The benefits of the framework are that it offers:
A way to describe your existing security posture;
Identify and priority opportunities for improvement;
Provides a common taxonomy for all organizations;
Provides a communication medium to talk about security risks;
The Framework core is comprised of five concurrent and continuous functions:
Identify
Protect
Detect
Respond
Recover
These functions are then divided into key Categories, subcategories and references as appropriate. The framework is not designed to facilitate a checklist mindset, but is built to help priorities security activities.
When you put it together, this is what the framework looks like and using the structure we just defined we can start filling in the table.
Often though, we as organizations place all our emphasis in Protection and Detection, but forget the other functional domains.
I cannot stress enough the importance of this being a continuous process.
And so before we break away for the afternoon, I encourage you to follow some simple steps..
1 - leverag a sensible framework, something you can hold yourself accountable too…
2 - you need to know what you have, that’s hands down. You can’t secure what you don’t know eists..
3 - Once you figure out what your risks are implement controls.. They extend beyond just technical controls.. Implement controls that force you to hold yourself accountable.. Maybe set up a schedule to provide some form of maintenance like every Friday before you leave for the weekend.. They key is habit
4 - be an active member of your site if you’re the administrator.. Actively administer and manager it… there should be no one more familiar with your own site than yourself as the website owner..
5 - Revisit the process continuously.. The security threat landscape is evolving daily… it’s important you constantly check if everything is good to go or if you need to apply new controls, adjust risk.. Etc…
Finally, remember that security is a continuous process and so is this process…
With that, I’ll open it up for questions from the audience if there are any.