20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline...which sometimes has a seat at the table. This talk explores what we're doing wrong, why it's ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
Brighttalk reason 114 for learning math - finalAndrew White
The document discusses using analytics to improve service assurance. It provides background on Andrew White, who has 15 years of experience designing systems monitoring and event management software. It then discusses how analytics can be used by CIOs to deliver better outcomes through techniques like big data analytics, security intelligence, mobile and cloud technologies.
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
An overview of the scale of the challenge and rational ways to cut that down to manageable and governable size. Slides compliment recent supplier security governance related posts on Infospectives.co.uk and LinkedIn.
Information Secuirty Vulnerability Managementtschraider
Vulnerability management is a proactive approach to identifying and closing vulnerabilities through ongoing processes of security scanning, auditing, and remediation. It aims to stay ahead of constantly changing threats by maintaining an inventory of known vulnerabilities and prioritizing remediation. In addition to technical vulnerabilities, poor internal processes around user access management, patching, and configuration can also pose risks, so these operational activities should be regularly assessed and improved. Once gaps have been addressed through effective vulnerability management over time, penetration testing can further test security and provide assurance.
OSB50: Operational Security: State of the UnionIvanti
The document discusses operational security and the state of cyber threats. It provides an overview of key trends including less control over data and devices, more complex networks, the rise of insecure internet of things devices, and the need for security to balance risk mitigation and enable business opportunities. Survey results show that security tasks are often split between IT and security teams. The document argues that organizations need to take a risk-based approach to security centered around understanding inherent risks, how assets could be compromised, and ensuring effective controls are in place. It also discusses challenges to achieving effective security.
What can go wrong?!
Thirty years of commercial information security have taught us to orchestrate perimeter controls, to correctly configure AAA systems, to evaluate risks and manage them.
But when we talk about the supply chain, the context dramatically changes and we risk realising we did not understand it all or we naively transferred our risk to an unaware third party.
The document provides best practices and statistics for working from home cybersecurity. It lists that 94% of malware is delivered via email, 71% of breaches are financially motivated, and worldwide cybersecurity spending will reach $133.7 billion in 2022. The document also outlines nine key practices for remote work cybersecurity including endpoint security compliance, data security and privacy training, multi-factor authentication, vulnerability assessment and patch management, and using secure communication means.
This document discusses risk assessments and managing third-party risk. It provides an overview of Optiv, a security consulting firm, and their services including risk management, security operations, and security technology. It then covers topics like the evolution of the CISO role, enterprise risk management, assessing assets, threats, vulnerabilities, and controls. The document provides methods for evaluating risk like the risk equation and risk register. It also discusses managing risk from third parties and cloud providers through due diligence and risk tiers based on the relationship and inherent risks.
Brighttalk reason 114 for learning math - finalAndrew White
The document discusses using analytics to improve service assurance. It provides background on Andrew White, who has 15 years of experience designing systems monitoring and event management software. It then discusses how analytics can be used by CIOs to deliver better outcomes through techniques like big data analytics, security intelligence, mobile and cloud technologies.
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
An overview of the scale of the challenge and rational ways to cut that down to manageable and governable size. Slides compliment recent supplier security governance related posts on Infospectives.co.uk and LinkedIn.
Information Secuirty Vulnerability Managementtschraider
Vulnerability management is a proactive approach to identifying and closing vulnerabilities through ongoing processes of security scanning, auditing, and remediation. It aims to stay ahead of constantly changing threats by maintaining an inventory of known vulnerabilities and prioritizing remediation. In addition to technical vulnerabilities, poor internal processes around user access management, patching, and configuration can also pose risks, so these operational activities should be regularly assessed and improved. Once gaps have been addressed through effective vulnerability management over time, penetration testing can further test security and provide assurance.
OSB50: Operational Security: State of the UnionIvanti
The document discusses operational security and the state of cyber threats. It provides an overview of key trends including less control over data and devices, more complex networks, the rise of insecure internet of things devices, and the need for security to balance risk mitigation and enable business opportunities. Survey results show that security tasks are often split between IT and security teams. The document argues that organizations need to take a risk-based approach to security centered around understanding inherent risks, how assets could be compromised, and ensuring effective controls are in place. It also discusses challenges to achieving effective security.
What can go wrong?!
Thirty years of commercial information security have taught us to orchestrate perimeter controls, to correctly configure AAA systems, to evaluate risks and manage them.
But when we talk about the supply chain, the context dramatically changes and we risk realising we did not understand it all or we naively transferred our risk to an unaware third party.
The document provides best practices and statistics for working from home cybersecurity. It lists that 94% of malware is delivered via email, 71% of breaches are financially motivated, and worldwide cybersecurity spending will reach $133.7 billion in 2022. The document also outlines nine key practices for remote work cybersecurity including endpoint security compliance, data security and privacy training, multi-factor authentication, vulnerability assessment and patch management, and using secure communication means.
This document discusses risk assessments and managing third-party risk. It provides an overview of Optiv, a security consulting firm, and their services including risk management, security operations, and security technology. It then covers topics like the evolution of the CISO role, enterprise risk management, assessing assets, threats, vulnerabilities, and controls. The document provides methods for evaluating risk like the risk equation and risk register. It also discusses managing risk from third parties and cloud providers through due diligence and risk tiers based on the relationship and inherent risks.
Presentation by Yvette du Toit at ISSA in 2011.
This presentation is about application assessment metrics and their challenges. Examples of Sensepost metrics are given.
One hundred rules for nasa project managersAndreea Mocanu
This document summarizes 100 rules for NASA project managers collected by Jerry Madden over his career at NASA. The rules cover many aspects of project management including initial planning, communications, reviews, contractors, engineers, software, budgets, and failures. They emphasize the importance of understanding all aspects of a project, dealing with people respectfully, and being proactive rather than reactive in addressing challenges that arise. The rules are intended to distill practical lessons from experience and ensure high standards of integrity and excellence in project outcomes.
This document provides an overview of ISO27001's risk assessment approach, which involves identifying assets, threats, vulnerabilities and controls to determine inherent and residual risks. Key steps include identifying high value assets, threats against those assets, vulnerabilities that could be exploited by threats, inherent risk levels without controls, existing controls, and residual risk levels with controls in place. Risks still above thresholds after controls would be added to an information security risk register for ongoing treatment and monitoring.
This document discusses assessment techniques for evaluating network security and compliance. It covers external vulnerability assessments conducted as an outsider to identify vulnerabilities through reconnaissance, system and service enumeration, and vulnerability scanning. Internal assessments are also discussed to test compliance from an insider perspective against security policies. A variety of tools are presented for different phases of external and internal assessments, including network mappers, vulnerability scanners, and tools for testing firewall and IDS policies.
Security Differently - DevSecOps Days Austin 2019Aaron Rinehart
The document discusses the concept of "security differently", which focuses on relying on people's expertise and insights rather than a compliance-based approach to security. It argues that current security practices often view people as the problem rather than the solution. Security differently aims to halt the over-bureaucratization of security work and instead ask people what they need while focusing on competency and common sense. The document also notes that complex systems are inherently difficult to secure and that outages and breaches will continue without rethinking traditional security approaches.
ADDO - Navigating the DevSecOps App-ocalypse 2020 Aaron Rinehart
The speed and scale of complex system operations within cloud-driven architectures make them extremely difficult for humans to mentally model their behavior. This often results in unpredictable and catastrophic outcomes that become costly when unexpected security incidents occur. There is a need to realign the actual state of operational security measures in order to maintain an acceptable level of confidence that our security actually works when we need it to.
As an alternative to simply reacting to failures, the security industry has been overlooking valuable chances to further understand and nurture ‘accidents’ or ‘mistakes’ as opportunities to proactively strengthen system resilience. Chaos Engineering allows us to proactively expose the failures, build resilient systems, and develop an "Applied Security" model to minimize the impact of failures.
Chaos Engineering allows for security teams to proactively experiment and derive new information about underlying factors that were previously unknown. This is done by developing live fire exercises that can be measured, managed, and automated. Contrary to Red/Purple Team exercises, chaos engineering does not use threat actor or adversarial tactics, techniques and procedures. As far as we know it Chaos Engineering is the only proactive mechanism for detecting availability and security incidents before they happen. We proactively introduce turbulent conditions, faults, and failures into our systems to determine the conditions by which our security will fail before it actually does.
In this session we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.
The reactionary state of the industry means that we quickly identify the ‘root cause’ in terms of ‘human-error’ as an object to attribute and shift blame. Hindsight bias often confuses our personal narrative with truth, which is an objective fact that we as investigators can never fully know. The poor state of self-reflection, human factors knowledge, and the nature of resource constraints further incentivize this vicious pattern. This approach results in unnecessary and unhelpful assignment of blame, isolation of the engineers involved, and ultimately a culture of fear throughout the organization. Mistakes will always happen.
Rather than failing fast and encouraging experimentation, the traditional process often discourages creativity and kills innovation. As an alternative to simply reacting to failures, the security industry has been overlooking valuable chances to further understand and nurture ‘accidents’ or ‘mistakes’ as opportunities to proactively strengthen system resilience. Expose the failures, build resilient systems, and develop an "Applied security" model to minimize the impact of failures. In this session we will cover discuss the role of ‘human-error’, root cause, and resilience engineering in our industry and how we can use new techniques such as Chaos Engineering to make a difference.
Security focused Chaos Engineering proposes that the only way to understand this uncertainty is to confront it objectively by introducing controlled signals. During this session we will cover some key concepts in Safety & Resilience Engineering work based on Sydney Dekker’s 30 years of research into airline accident investigations and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive
Avi Orenstein and Tal Argoni lead a team that redefines cyber safety. They discuss penetration testing, which involves attacking a system to find security weaknesses, and red teaming, where an independent group challenges an organization from all sides to improve effectiveness. While penetration testing focuses on regular checks, user rights, and vulnerability assessments, red teaming better mimics the organizational environment to provide a more realistic security evaluation.
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
Root Cause Analysis and Corrective ActionsHannah Stewart
A snapshot of 5 of the most popular root cause analysis methods for EHS incident investigation, plus how to manage follow up corrective and preventive actions effectively. Read the full report here: https://www.pro-sapien.com/resources/downloads/root-cause-analysis/
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...NoNameCon
Talk by Nazar Tymoshyk at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/GSRUTP/
Incident Detection & Response requires People - to Think, Tools - to provide data and analytics and Processes - to avoid fuckups and assure the quality. But with more alerts, the analysis takes more time, decisions and moreover - actions need to be taken immediately. Attackers actively use automation, so Defenders should also optimize their processes.
In our presentation, we'd like to share with the community our lessons learned. Our focus would be on practical moments, the challenges we faced and the simple working solutions we discovered.
We plan to challenge the audience with simple but vital questions that will help to establish a good communication bridge to make this delivery effective and valuable for engineers to improve their defense. We'd like to discuss also a variety of actions to be taken after the incident is confirmed. Come and take it.
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingTony Martin-Vegue
Slides from Tony Martin-Vegue's presentation at the ISACA Fall Conference: October 15th, 2014
"How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling"
Abstract:
CISO’s and risk analysts alike often get caught up in checking boxes on a list of control objectives in order to satisfy compliance and regulatory requirements. However, companies that only view risk through a narrow, regulatory or compliance-focused lens have the potential to overlook a myriad of threats that could impact business continuity, customer privacy and security and financial solvency. The last several high-profile data breaches prove that compliance does not equal security.
There are many ways to assess risk in a meaningful, efficient way that drives business value. Many top companies are moving away from control-based and vulnerability-based risk assessments and are instead putting themselves in the shoes of an attacker. In order to keep up with the rapidly evolving world of cyber criminals and crime rings, organizations are learning to utilize threat intelligence to ascertain the methods, goals, and objectives of threat agents that are targeting their firm or similar firms in their sector. This helps an organization produce focused risk assessments that take a business-centric approach.
This is a beginner to intermediate-level presentation designed to provide an introduction to threat modeling, a primer on threat modeling techniques, ways to integrate threat modeling into risk management frameworks (such as FAIR and NIST), and how to build a library of threat agents specific to one’s firm. Attendees will learn hands-on techniques to perform threat modeling that they will be able to immediately integrate into their risk assessment processes.
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
Common and dangerous myths about security vulnerability assessments from experienced vulnerability assessors of physical security and nuclear safeguards devices, systems, and programs.
This document summarizes Roger Johnston's talk on under-utilized methods for mitigating the insider threat. Johnston discusses improving security culture and climate by welcoming security ideas from all employees and viewing vulnerabilities as opportunities. He also outlines examples of largely unstudied human factors in security like security awareness training, insider threat motivation and countermeasures, and mitigating employee disgruntlement. The document advocates applying insights from psychology, such as reducing cognitive dissonance, to strengthen security practices against both inadvertent and deliberate insider threats.
CHI'07: Biases in Human Estimation of Interruptibilitycpt.positive
The document reports on a study that examined biases in human estimation of others' interruptibility. Researchers compared self-reported interruptibility levels from participants with estimates of those participants' interruptibility made by other observers viewing video clips. Certain contextual cues like social engagement and phone use affected whether observers over- or under-estimated interruptibility. Observers tended to overestimate interruptibility when cues like computer use were present but not actually correlated with self-reports. The study provides insights into cues that mislead interruptibility estimates and how awareness systems could be designed to avoid or mitigate estimation errors.
Threat modeling from the trenches to the cloudsPriyanka Aash
What wisdom percolates from building threat modeling practices across four organizations? This presentation will draw from hundreds of students, years of coaching, 100 formal trainings and 1000s of threat models. This presentation will draw upon experience gained in the trenches of the battle to reduce design errors that is often fought with threat modeling. Conclusions may overturn cherished beliefs.
(Source : RSA Conference USA 2017)
This document provides an overview of information security risk management. It defines risk management as identifying risks, their owners, probability, impact, suitable mitigations, and contingency plans. The objectives of information security risk management are ensuring risks to confidentiality, integrity, availability, and traceability of information are effectively managed. Common problems with risk management include poor risk descriptions, ineffective mitigation actions, and a reactive rather than proactive approach. The document outlines identifying risks from sources like cloud computing and third parties, recording risks in a risk register, assigning owners, and monitoring mitigation progress.
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline…which sometimes has a seat at the table. This talk explores what we’re doing wrong, why it’s ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24
Our security experts present how to step up your cyber hygiene best practice to prevent targeted hacking attempts from remote code execution to network exploitation.
Presentation by Yvette du Toit at ISSA in 2011.
This presentation is about application assessment metrics and their challenges. Examples of Sensepost metrics are given.
One hundred rules for nasa project managersAndreea Mocanu
This document summarizes 100 rules for NASA project managers collected by Jerry Madden over his career at NASA. The rules cover many aspects of project management including initial planning, communications, reviews, contractors, engineers, software, budgets, and failures. They emphasize the importance of understanding all aspects of a project, dealing with people respectfully, and being proactive rather than reactive in addressing challenges that arise. The rules are intended to distill practical lessons from experience and ensure high standards of integrity and excellence in project outcomes.
This document provides an overview of ISO27001's risk assessment approach, which involves identifying assets, threats, vulnerabilities and controls to determine inherent and residual risks. Key steps include identifying high value assets, threats against those assets, vulnerabilities that could be exploited by threats, inherent risk levels without controls, existing controls, and residual risk levels with controls in place. Risks still above thresholds after controls would be added to an information security risk register for ongoing treatment and monitoring.
This document discusses assessment techniques for evaluating network security and compliance. It covers external vulnerability assessments conducted as an outsider to identify vulnerabilities through reconnaissance, system and service enumeration, and vulnerability scanning. Internal assessments are also discussed to test compliance from an insider perspective against security policies. A variety of tools are presented for different phases of external and internal assessments, including network mappers, vulnerability scanners, and tools for testing firewall and IDS policies.
Security Differently - DevSecOps Days Austin 2019Aaron Rinehart
The document discusses the concept of "security differently", which focuses on relying on people's expertise and insights rather than a compliance-based approach to security. It argues that current security practices often view people as the problem rather than the solution. Security differently aims to halt the over-bureaucratization of security work and instead ask people what they need while focusing on competency and common sense. The document also notes that complex systems are inherently difficult to secure and that outages and breaches will continue without rethinking traditional security approaches.
ADDO - Navigating the DevSecOps App-ocalypse 2020 Aaron Rinehart
The speed and scale of complex system operations within cloud-driven architectures make them extremely difficult for humans to mentally model their behavior. This often results in unpredictable and catastrophic outcomes that become costly when unexpected security incidents occur. There is a need to realign the actual state of operational security measures in order to maintain an acceptable level of confidence that our security actually works when we need it to.
As an alternative to simply reacting to failures, the security industry has been overlooking valuable chances to further understand and nurture ‘accidents’ or ‘mistakes’ as opportunities to proactively strengthen system resilience. Chaos Engineering allows us to proactively expose the failures, build resilient systems, and develop an "Applied Security" model to minimize the impact of failures.
Chaos Engineering allows for security teams to proactively experiment and derive new information about underlying factors that were previously unknown. This is done by developing live fire exercises that can be measured, managed, and automated. Contrary to Red/Purple Team exercises, chaos engineering does not use threat actor or adversarial tactics, techniques and procedures. As far as we know it Chaos Engineering is the only proactive mechanism for detecting availability and security incidents before they happen. We proactively introduce turbulent conditions, faults, and failures into our systems to determine the conditions by which our security will fail before it actually does.
In this session we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.
The reactionary state of the industry means that we quickly identify the ‘root cause’ in terms of ‘human-error’ as an object to attribute and shift blame. Hindsight bias often confuses our personal narrative with truth, which is an objective fact that we as investigators can never fully know. The poor state of self-reflection, human factors knowledge, and the nature of resource constraints further incentivize this vicious pattern. This approach results in unnecessary and unhelpful assignment of blame, isolation of the engineers involved, and ultimately a culture of fear throughout the organization. Mistakes will always happen.
Rather than failing fast and encouraging experimentation, the traditional process often discourages creativity and kills innovation. As an alternative to simply reacting to failures, the security industry has been overlooking valuable chances to further understand and nurture ‘accidents’ or ‘mistakes’ as opportunities to proactively strengthen system resilience. Expose the failures, build resilient systems, and develop an "Applied security" model to minimize the impact of failures. In this session we will cover discuss the role of ‘human-error’, root cause, and resilience engineering in our industry and how we can use new techniques such as Chaos Engineering to make a difference.
Security focused Chaos Engineering proposes that the only way to understand this uncertainty is to confront it objectively by introducing controlled signals. During this session we will cover some key concepts in Safety & Resilience Engineering work based on Sydney Dekker’s 30 years of research into airline accident investigations and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive
Avi Orenstein and Tal Argoni lead a team that redefines cyber safety. They discuss penetration testing, which involves attacking a system to find security weaknesses, and red teaming, where an independent group challenges an organization from all sides to improve effectiveness. While penetration testing focuses on regular checks, user rights, and vulnerability assessments, red teaming better mimics the organizational environment to provide a more realistic security evaluation.
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
Root Cause Analysis and Corrective ActionsHannah Stewart
A snapshot of 5 of the most popular root cause analysis methods for EHS incident investigation, plus how to manage follow up corrective and preventive actions effectively. Read the full report here: https://www.pro-sapien.com/resources/downloads/root-cause-analysis/
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...NoNameCon
Talk by Nazar Tymoshyk at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/GSRUTP/
Incident Detection & Response requires People - to Think, Tools - to provide data and analytics and Processes - to avoid fuckups and assure the quality. But with more alerts, the analysis takes more time, decisions and moreover - actions need to be taken immediately. Attackers actively use automation, so Defenders should also optimize their processes.
In our presentation, we'd like to share with the community our lessons learned. Our focus would be on practical moments, the challenges we faced and the simple working solutions we discovered.
We plan to challenge the audience with simple but vital questions that will help to establish a good communication bridge to make this delivery effective and valuable for engineers to improve their defense. We'd like to discuss also a variety of actions to be taken after the incident is confirmed. Come and take it.
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingTony Martin-Vegue
Slides from Tony Martin-Vegue's presentation at the ISACA Fall Conference: October 15th, 2014
"How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling"
Abstract:
CISO’s and risk analysts alike often get caught up in checking boxes on a list of control objectives in order to satisfy compliance and regulatory requirements. However, companies that only view risk through a narrow, regulatory or compliance-focused lens have the potential to overlook a myriad of threats that could impact business continuity, customer privacy and security and financial solvency. The last several high-profile data breaches prove that compliance does not equal security.
There are many ways to assess risk in a meaningful, efficient way that drives business value. Many top companies are moving away from control-based and vulnerability-based risk assessments and are instead putting themselves in the shoes of an attacker. In order to keep up with the rapidly evolving world of cyber criminals and crime rings, organizations are learning to utilize threat intelligence to ascertain the methods, goals, and objectives of threat agents that are targeting their firm or similar firms in their sector. This helps an organization produce focused risk assessments that take a business-centric approach.
This is a beginner to intermediate-level presentation designed to provide an introduction to threat modeling, a primer on threat modeling techniques, ways to integrate threat modeling into risk management frameworks (such as FAIR and NIST), and how to build a library of threat agents specific to one’s firm. Attendees will learn hands-on techniques to perform threat modeling that they will be able to immediately integrate into their risk assessment processes.
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
Common and dangerous myths about security vulnerability assessments from experienced vulnerability assessors of physical security and nuclear safeguards devices, systems, and programs.
This document summarizes Roger Johnston's talk on under-utilized methods for mitigating the insider threat. Johnston discusses improving security culture and climate by welcoming security ideas from all employees and viewing vulnerabilities as opportunities. He also outlines examples of largely unstudied human factors in security like security awareness training, insider threat motivation and countermeasures, and mitigating employee disgruntlement. The document advocates applying insights from psychology, such as reducing cognitive dissonance, to strengthen security practices against both inadvertent and deliberate insider threats.
CHI'07: Biases in Human Estimation of Interruptibilitycpt.positive
The document reports on a study that examined biases in human estimation of others' interruptibility. Researchers compared self-reported interruptibility levels from participants with estimates of those participants' interruptibility made by other observers viewing video clips. Certain contextual cues like social engagement and phone use affected whether observers over- or under-estimated interruptibility. Observers tended to overestimate interruptibility when cues like computer use were present but not actually correlated with self-reports. The study provides insights into cues that mislead interruptibility estimates and how awareness systems could be designed to avoid or mitigate estimation errors.
Threat modeling from the trenches to the cloudsPriyanka Aash
What wisdom percolates from building threat modeling practices across four organizations? This presentation will draw from hundreds of students, years of coaching, 100 formal trainings and 1000s of threat models. This presentation will draw upon experience gained in the trenches of the battle to reduce design errors that is often fought with threat modeling. Conclusions may overturn cherished beliefs.
(Source : RSA Conference USA 2017)
This document provides an overview of information security risk management. It defines risk management as identifying risks, their owners, probability, impact, suitable mitigations, and contingency plans. The objectives of information security risk management are ensuring risks to confidentiality, integrity, availability, and traceability of information are effectively managed. Common problems with risk management include poor risk descriptions, ineffective mitigation actions, and a reactive rather than proactive approach. The document outlines identifying risks from sources like cloud computing and third parties, recording risks in a risk register, assigning owners, and monitoring mitigation progress.
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline…which sometimes has a seat at the table. This talk explores what we’re doing wrong, why it’s ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24
Our security experts present how to step up your cyber hygiene best practice to prevent targeted hacking attempts from remote code execution to network exploitation.
1. Cybersecurity risk management involves identifying vulnerabilities and risks, assessing their likelihood and impact, and implementing measures to reduce risks to acceptable levels.
2. A risk analysis was presented that identifies assets, threats, vulnerabilities, assesses impact of threats, likelihood of vulnerabilities being exploited, and determines overall risk levels.
3. Managing cybersecurity risk is a team effort that requires addressing both technical risks like vulnerabilities in systems, as well as human risks from employees through training to reduce threats.
Threat intelligence involves the collection and analysis of data about potential cybersecurity risks in order to inform an organization's security decisions and improve prevention, detection, and response capabilities. The document discusses how establishing a dedicated threat intelligence program can help organizations by providing deeper insights into emerging and strategic threats, enabling more effective allocation of security budgets. It also notes that integrating threat intelligence with security tools and orchestrating automated responses is key to realizing the full benefits of a threat intelligence practice.
I am my worst enemy — A first person look at Insider ThreatAhmed Masud
A non-technical presentation to start thinking about how much each of us affects the security of our own organization. People are the key to an organization, and they also pose the greatest threat to it (well beyond the technology). The breach almost always occurs at the Human-Technology interface. This is first in a series of presentations on this topic.
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Capgemini
As many enterprises begin their journey to innovate and differentiate their products through the use of technology built in Devops mindsets and Agile methods and head down the road to “Application Economy”, this drives a high velocity of changes for application security, how can we get ahead?
Join Capgemini to learn how the byproduct of IoT is a more connected enterprise and nation that will require new secure and resilient ways of software design, coding, testing (SLDC) and new frameworks to secure and make an attack resilient IoT ecosystem.
Presented at HPE Discover Las Vegas 2016.
Anyone handling sensitive information in this day and age needs to to have a solid security setup and a plan for when something goes wrong. This webinar aims to get you looking at your security with fresh eyes and give you an outline of an action plan.
This document discusses risk management and vulnerability management from a practical perspective. It argues that risk management is about understanding risks based on loss magnitude and likelihood, not compliance. It also argues that typical vulnerability management practices like periodic scans have gaps and may not accurately capture risks. It provides suggestions for taking a more risk-based approach to vulnerability management, including using asset information, exposure estimation, and techniques like Vulners to help close scanning gaps.
This document discusses why enterprise security often fails against cyber threats and provides recommendations. It summarizes that the traditional enterprise security model was designed for compliance rather than addressing modern cyber warfare tactics, resulting in vulnerabilities. The document recommends adopting the Cybersecurity Framework to better identify all IT assets, protect against threats through elimination techniques, and improve detection abilities. It also stresses the importance of response and recovery plans as well as measuring security effectiveness through readiness, capability, and quick response times.
This document summarizes the key points from a security presentation given by John "geekspeed" Stauffacher and Matthew "mattrix" Hoy. The presentation discusses how relying too heavily on automated detection tools has weakened many organizations' security posture and response capabilities. It advocates adopting a "Cleaner" approach that goes beyond just reimaging systems to identify threats, attackers' capabilities, and actions to stop attackers. Key areas that need improvement are outlined such as inadequate preparation, treating security as an afterthought, and failing to understand attackers' motives and methods in order to better defend against future incidents. Specific tools and techniques are also provided that can help with tasks like identifying attackers, containing compromises, and learning lessons to strengthen defenses going
PCI. HIPAA. CFPB. We're KILLING small businesses with over-regulation in the name of security, while turning a blind eye to the fact that the cost of over-regulation is doing more harm than good, distracting business owners from realistically focusing on the risks that apply to their companies. It's time to have an open, honest conversation about a "common sense" security framework.
Intro to a Data-Driven Computer Security DefenseRoger Grimes
Introduces a Data-Driven Computer Security Defense, a computer security defense strategy introduced by the author. Slide deck complements the book and whitepaper and can be used by anyone.
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
Threat intelligence needs to be in a language the business understands. SurfWatch Labs can help connect cyber threat intelligence to business operations in order to help manage cyber risk.
Endpoint (big) Data In The Age of Compromise, Ian RainsburghNapier University
This document summarizes a presentation on leveraging big data in cybersecurity. It discusses how current security challenges include breaches occurring within minutes while most go undiscovered for months or years. Inside-out security is proposed to detect both known and unknown threats using deep endpoint visibility and activity correlation. This allows proactive detection, assessment of sensitive data and risks, automated incident response, and recovery to reduce breach discovery times.
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
Enterprise security teams are facing numerous challenges because of evolving threat vectors bypassing existing technology, deluge of alerts, and lack of skilled resources to stop advanced threats. Even if enterprises have a budget to bring in outside incident response and forensics teams to stop the bleeding, by then, damages and loss have already occurred.
Security teams must change the shape of their security program to stop threats at the earliest and all stages of the attacker lifecycle. Join 451 Research Senior Analyst, Adrian Sanabria, and Director of Products at Endgame, Mike Nichols, talk about how earliest prevention and instant detection can change the shape and outcome of enterprise security program.
This talk will outline strategies for:
• Prioritizing the alerts and events that really matter
• Identifying parts of the investigation workflow that can be automated
• Building a detection methodology that creates confidence and continuously improves defenses
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
Bobby Dominguez is an accomplished Internet pioneer and an acknowledged security, risk, and privacy expert. Mr. Dominguez has successfully integrated information security into top-level business initiatives at Home Shopping Network, PSCU Financial Services, and PNC Bank, where he implemented a new technology risk management framework. Under his leadership, the Sykes Global Security and Risk Management team was nominated and selected as one of the 5 best by 2008 SC Magazine “Best Security Team in the US.” Mr. Dominguez was also selected as one of the top 5 Chief Security Officers for the 2009, 2010, and 2013 SC Magazine “CSO of Year.” In 2012 he was a finalist for (ISC)2 Americas Information Security Leadership Awards.
Cybersecurity: An FBI perspective: how cyber criminals exploit the goodness o...Ruth Edmonds
Insight into how cyber criminals prey on your employees to get access to your company's valuable data, and tips and technology that can help you protect yourself. See webinar video here: http://bit.ly/Avatu-how-cybercriminals-exploit-your-employees
1) Risk assessment is the foundation of any security program and can help organizations avoid significant fines and penalties in the event of a data breach or audit findings.
2) A risk analysis involves identifying threats, vulnerabilities, and risks; assessing current security measures; determining the likelihood and impact of risks; and identifying security measures to address risks.
3) Tools and frameworks like NIST, HIPAA, OCTAVE, and those from CompTIA, DHS, and HHS can help organizations conduct thorough and effective risk analyses.
Cyber Attacks aren't going away - including Cyber Security in your risk strategyJames Mulhern
There's a data explosion underway and it's a lucrative market for cyber criminals. Charities with their complex contexts and valuable data are an obvious target and so it's essential Cyber threats are addressed in Charities' risk strategies.
This presentation set outs the current situation, what the potential consequences are and who could be impacted before explaining what can be done about it and how to approach the challenge.
Presentation to representatives from the UK Charities sector at the Charity Finance Group's annual IT, Data, Insights and Cyber Security Conference.
Similar to Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Different! [Presented by Steve Werby at RVAsec 2014] (20)
Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...Steve Werby
Malicious URLs have been plaguing users for years. Leveraging of shortened URLs, redirect exploits, and other techniques have made detection of malicious links a much tougher problem for users who have to make a decision and for technical controls. This has gotten worse with the proliferation of QR codes and NFC tags. In this talk, I'll discuss research I conducted concerning the effectiveness of attacks using malicious QR codes, issues with mobile device QR code readers, an education campaign that resulted, and recommendations for users, publishers, app developers, and information security practitioners.
Information Security Threat Level Snapshot Template by Steve Werby 2014Steve Werby
I created this template for displaying a snapshot of the current information security threat level as it pertains to my organization. Technically, its current use is to represent threat actors, attack vectors, vulnerabilities, and additional context.
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Steve Werby
Data breach notification laws have proliferated worldwide, beginning with California’s law, which was enacted nearly a decade ago. As a result, citizens are being bombarded by breach notifications and media coverage of data exposures has skyrocketed. But are these increasingly onerous laws leading to stronger information security and better decisions by citizens or are they backfiring? I’ll compare existing laws, analyze data breach notifications and explore the effects of these laws, including feedback from citizens and information security professionals. By comparing data exposure disclosure to other negative events that don't require disclosure and sharing alternate disclosure models, I'll leave the audience questioning whether there's a better way.
Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by St...Steve Werby
By aggregating and creating new dictionaries and manipulating them to guess plaintext and hashed passwords in high profile password exposures, I'll demonstrate which dictionary attacks and password cracking strategies are the most effective. I will also discuss the building of passphrase dictionaries. The password and passphrase cracking will be performed primarily using Amazon EC2 and the time, cost, and resource constraints of EC2 and other options will be analyzed.
Versions of this talk were also presented at Hack3rCon, DerbyCon, and SOURCE Seattle.
A Fistful of Fire Hoses: Putting out Fires Without Crossing Streams [Presente...Steve Werby
Your organization has invested in a variety of tools to manage its information technology and the security of its systems. But it's a nightmare to synthesize this information so non-technical decision makers can make informed decisions and so information security and IT management can manage security effectively. We developed and implemented a web-based tool which has been integrated with numerous data sources to address this business need across our large, decentralized organization with a heterogeneous IT environment. Now non-technical staff who previously knew little about their technology can easily view information about their assets and how they.re being managed and information security staff have access to the information they need in a centralized tool. The tool will be demonstrated and the technology, implementation, management and usage of the system will be covered in order to share successes and lessons learned.
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...Steve Werby
A detailed analysis of password policies and authentication controls for widely-used websites hadn’t been conducted and seemed to be a daunting effort. To address this I supplemented automated and semi-automated data collection with the utilization of low-cost marketplaces like Amazon Mechanical Turk and unpaid volunteers. I will cover my methodology, analysis of the collected data, challenges, lessons learned, and future plans.
You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve We...Steve Werby
With the proliferation of Internet accessible applications and files within organizations and the number of employees capable of making sensitive content available growing rapidly, knowing what sensitive information is accessible is increasingly difficult. And expensive DLP and scanning tools are not the only option. I will cover management strategies to reduce the risk, as well as demonstrate free and low-cost tools (FOCA, Shodan, Google Hacking Database and more) to discover sensitive data.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
2. Insanity
Insanity [noun] in-ˈsa-nə-tē: Doing the same thing over and over again
and getting and expecting different results1
s/Insanity/Information Security
21 Despite popular belief, there is no evidence that this was written or spoken by Albert Einstein
3. We’re Doing it Wrong
Security == 0 || Security == 1
Focus on vulnerabilities
Think in terms of worst-case scenarios
Serve as an obstacle
Don't demonstrate value
Point fingers
3
4. What Do You Mean By “We”?
He's talking
about me!
65%
I can relate to
some of this.
20%
Not me
[I'm delusional].
13%
My house
is in order!
2%
4
5. But Blame is Shared
How can we align with org’s objectives?
What do you think we should do?
What’s our risk for scenario I read
about?
Should we address this?
How can we prevent this in the future?
How did you let this happen!?
5
7. Who am I?
I am not a rock star
I am not a guru
7
8. Who am I?
I am not a rock star
I am not a guru
I am not a thought leader1
8
1 I am not belittlingly Chris Eng (pictured). I am a fan of the video he created, “How to Become an Information Security
Thought Leader”. https://www.youtube.com/watch?v=Pc64xWxRsag
9. Rules and Guidelines
9
Please hold questions until the end. I’ll also be
available after the talk.
It’s OK to laugh. Information security is tough
if you keep everything bottled up.
Constructive and unconstructive feedback welcome
at @stevewerby. And don’t forget hashtag #rvasec.
10. Disclaimer, Disavowal, and Renunciation
These are not necessarily the views of
• My employer
• You
• Anyone else or anything else in the universe
If your feelings are easily hurt by being told you've been doing it wrong,
consider leaving
• But you'll miss some ways of doing it better
This disclaimer/disavowal/renunciation is retroactive to the Unix Epoch
• And is subject to change without notice
10
13. Bad Advice – Passwords
Use unique passwords, memorize them, and change them regularly
Bad
• Unique isn't actually what we want
• We don't really care if they memorize them
• Change them every 42 days
- Reason no longer applicable (offline brute force defense)
- Research doesn't even support that it's effective
13
16. Unintended Consequences – Passwords
Get entered into wrong system
Ignore “requirements” and don't make them unique
Write them down insecurely
Unique, but other password give clues about this password
Change regularly leads to (n+1)th similar to nth
16
18. Bad Advice – Long, Technical Policy
Too looooooooooooooooooooooooooooooog
Legal is happy, you may be happy
• Serves as a CYA and a violation lever
Many never even consider reading it…but if they do
• Not easy to comprehend
• Impossible for users to retain
Doesn’t consider impact on those affected
18
23. Broken Paradigm – CIA Model
Should be AIC
Masquerades as a holistic security model, but is a limited model that
focuses entirely on information
Parkerian Hexad better
• Adds possession, authenticity, availability
23
26. Broken Paradigm – Vulnerability-Centric
Unlocked, 20-year old, empty beaten up car in middle of full parking lot
Unlocked house with $10MM in diamonds in the middle of the desert and
only 1 person knows it’s there
26
27. Rules and Guidelines
27
A vulnerability without an impact is not a risk!
A vulnerability without a threat is not a risk!
28. What Information Security Is (Allegedly)
Information security is the practice of defending information against
unauthorized access, use, disclosure, modification, or destruction
28
29. What Information Security Is (Really)
Information security is the defense of information and IT systems in
alignment with stakeholders' direction for addressing risk and
opportunities
29
30. What Information Security Is (Really)
Information security is the defense of information and IT systems in
alignment with stakeholders' direction for addressing risk and
opportunities
Breaking it Down
• What information do we have?
• What IT systems use it?
• Who are stakeholders?
• What are our risks?
• What are our opportunities?
30
31. Focus – From Chaos to Disorder
Phase 1
• Org mission and vision
• Org goals and success factors
Phase 2
• Essential business processes
• Secondary business processes
Phase 3
• Information
• IT systems
Phase 4
• Risks
• Opportunities
31
33. What Risk Is
R = Threat * Vulnerability * Impact
R = Likelihood * Impact
• Can be range of impact/likelihood scenarios
• Likelihood of threat exploit vulnerability
resulting in impact
33
35. Risk Appetite[1 of 2]
35
Expressing risk appetite
• Boundary on impact/likelihood grid
• Descriptive
- 99.9% manufacturing system uptime
- No social media account abuse
- No audit findings
• Maximum annual $ loss (bottom quartile
for industry)
Can vary
• Across business units (R&D vs. marketing)
• By scenario (PII vs. IP, individual records vs. bulk loss)
36. Risk Appetite[2 of 2]
Level 1
• Infosec
Level 2
• IT leadership and IT support aligned with LOB
• Others who may have insights, even if lack authoritative knowledge
Level 3
• LOB management
• LOB leadership
Level 4
• Risk steering committee
• Enterprise leadership team or board
36
38. Tool for infosec
Adequate for explaining to stakeholders, though they care about impact
and likelihood, not threats and vulnerabilities
Inefficient and illogical way of identifying risk though
Threat Model to Assess Risk[1 of 3]
38
Chart is a modified version of a chart in the OWASP Top 10 – 2013
(http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf)
39. If likelihood of impact < acceptable, stop
If likelihood of all threat actors < acceptable, stop
Threat Model to Assess Risk[2 of 3]
39
40. Iteration 1 – Impact, threat actor, vulnerability and controls, attack vector
Iteration 2 – Threat actor likelihood, likelihood of targeting vulnerability
(prevalence, discovery), attack vector likelihood (skills, resources)
Iteration 3 – Determine risk
Threat Model to Assess Risk[3 of 3]
40
41. Assessing Risk
41
Compare risk with risk appetite
Make decisions based on comparison
• And cost/benefit analysis, constraints, and priorities
Stakeholders
• Involve in process to the degree you can (worst case, inform)
If risk < acceptable then accept residual risk
Otherwise reduce, transfer (insure or contract/outsource), avoid (eliminate
situation or activity), ignore (head in sand)
Use output to define current state, future state, and gaps
42. Rules and Guidelines
42
Start simple and enhance later!
Align with business needs!
Communicate current state, future state, and
gaps!
43. Broken Paradigm – Blinky Lights
We neglect our existing blinky light technologies
• Functionality not enabled (functionality we aren’t even aware of)
We neglect the data that is all around us
• Lots of chatty devices
• Many non-traditional sources
- Internal and external
- Electronic and non-electronic (including human)
43
44. Rules and Guidelines
44
Give people and processes appropriate
attention!
Maximize utilization of available resources!
45. Comparison of Controls
45
We fail at this because we don’t align with business needs or the way the
business considers alternatives
46. Comparison of Risk Reduction Alternatives
Level 1
• Confidence in alternative (yours and theirs)
• Impact – risks and opportunities
Level 2
• User friction
• Management friction
Level 3
• Implementation and management burden, complexity, and timeframe
• Cost and cost avoidance
46
50. [Think|Act] The Approach
Focus on business needs, desired outcomes, capabilities
Ask yourself and others lots of questions
Challenge assumptions and recognize that needs, risks, and capabilities
evolve
50
52. Ask Yourself Questions
Direction
• How much risk are data owners and function owners willing to accept?
• Am I meeting stakeholders’ expectations?
Capabilities and outcomes
• How quickly are we containing incidents compared to a year ago?
• If the source and destination of an attack are within our data center, do we have
visibility?
• Is our manual effort to provide malware samples to our AV provider resulting in
subsequent blocking in our environment?
Risk
• What percentage of critical vulnerabilities in our environment are exploited in the
wild before we remediate them?
• What if someone stole a laptop from an employee while he was using it?
52
53. [Think|Act] Different – Start *Somewhere*
Where
• Easiest? Highest value? With person who raises hand? Opportunity arises?
• May not be your call
Be prepared
• Incident in your environment
• Incident elsewhere
• Inquiry from stakeholder
Crawl, walk, run – gain experience and learn lessons
53
54. [Think|Act] Different – Go Against the Grain
Get a Mac campaigns from 2006 to 2009
Higher the penetration of a technology or tool, the more likely it will be
targeted
• If you use tools with high penetration
- How quickly can your use of it be discovered?
- Do you have compensating controls?
- How quickly can you remediate vulnerabilities?
Consider technologies, tools, and configurations that reduce exploitation
likelihood
54
55. [Think|Act] Different – Leave Echo Chamber
Smart people in infosec, but <1% of workers
Lots of smart people and great ideas elsewhere
Regardless, your stakeholders should be determining what to protect, how
much, and sharing constraints and opportunities to align with
55
58. [Think|Act] Different – Security Awareness
Define high-priority outcomes and focus on them
• Knowing what an incident is and what to do
Make it personal and relevant – awareness of risk and influence behavior
• Password reuse can put our IP at risk and put your finances and private
communications at risk
• Loss of competitive advantage, loss of money, disclosure of private info
58
59. Rules and Guidelines
59
People don’t care about your data and systems!
Make it personal!
Your employees’ personal lives are not out of
scope to your adversaries!
Measure what matters!
60. [Think|Act] Different – Cloud and Mobile
Remember how you felt about…
• workstation Internet access? laptops? public facing B2B web apps? thumb
drives? Bluetooth headsets? Skype?
This is kind of like that.
It’s coming.
You can’t stop it.
You shouldn’t stop it.
Better to ask “How might we enable the business and manage the risks?”
60
63. [Think|Act] Different – Challenge Status Quo
Ask why
• Why did we implement these controls?
• Have the risks changed?
• Have the controls changed?
• Have the requirements and assumptions changed?
• How might we do this better?
Do this before you say “no”
63
64. [Think|Act] Different – Metrics
Metrics should
• Describe outcomes, capabilities, or progress towards target state
• Answer questions or allow you to formulate new questions
• Be meaningful and actionable
Not a metric
• Average days to patch vulnerability
• Number of people who opened communication about phishing
Is a metric
• % of critical vulns patched after threshold, median days above threshold
• % responding to phishing emails broken down by whether or not read it
64
66. [Think|Act] Different – Signal vs Noise [1 of 2]
66
Noise
Port scans from external source
Horizontal brute force attacks
Commodity attacks attempting to
leverage vulns which do not
appear in our environment
Signal
Port scans from internal sources
Diagonal brute force attacks
Authentication attack ending in
successful login
Authentication attempt, followed by
login, followed by abnormal action
Atypical (or abnormal number of) file
accesses or downloads from content
repository
69. [Think|Act] Different – Equal Treatment
Some people are riskier
• Based on system/data access
• Role/visibility
• Security hygiene
• Disgruntled/disciplined/separating
• Internet presence
It’s OK to treat them differently
• Different training
• Different detective and preventive controls
• If a systems’ users are higher risk, so is the system (inherited risk)
69
71. [Think|Act] Different – Be the Adversary
Your adversary likely doesn’t need an APT, so focus on commodity attack
vectors and exploits
Your adversary doesn’t care that your public website in your DMZ (that’s
not quite the DMZ you thought) contains no sensitive data – he’ll consume
the local credentials and pivot his way throughout your soft gooey center
Your adversary doesn’t care that CVSS rated 3 vulnerabilities in the same
system as 6s which was below your remediation threshold – three 6s
bundled in a $20 exploit kit are more of a risk than a theoretical 10 with no
known exploits in the wild
The Chinese threat – your Chinese supplier may be an adversary; visits to
China could be dangerous but keep that in perspective
71
72. [Think|Act] Different – Password Composition
Make it looooooooooooooooooooooooooooooog
Disallow passwords utilizing common topologies1
Require a Unicode character (~110,000 encoded)
721 KoreLogic Security Blog: Pathwell Topologies (https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies)
73. [Think|Act] Different – Measurement
Measure security awareness – or it's not worth it. And an easy m/c quiz
immediately after watching training isn't the way.
Select small # of people, ask them about knowledge of risk or desired behavior
Train users
Wait a month
Select small # of people, ask them about knowledge of risk or desired behavior
Don’t worry about statistical significance
Walk your environment
Unattended logged in computers, passwords in plain site, doors propped open, 2FA tokens
unattended, personal computers connected to network
Talk to people – don’t have a game plan, just see what you can learn and teach
73
74. Rules and Guidelines
74
Understand your environment!
Build relationships and establish credibility!
Give people and processes appropriate
attention!
76. Fallacy – Security Through Obscurity
Shouldn't be only control
Valid approach as part of a group of controls
Often highly effective against opportunistic attacks
• Can be effective against subset of targeted attacks
76
77. Fallacy – We Can’t Switch From IE
Alleged reason – we have software that’s only compatible with it
Install an alternate browser
• Only use IE for those web apps
• Install Chrome or Firefox with IE Tab extension
• Switch to alternate browser when attacks in the wild or in your environment
77
78. Fallacy – We Can’t Switch From IE
Alleged reason – we have software that’s only compatible with it
Install an alternate browser
• Only use IE for those web apps
• Install Chrome or Firefox with IE Tab extension
• Switch to alternate browser when attacks in the wild or in your environment
78
79. Fallacy – We Can’t Move to Prevent Mode
Measure, analyze
Use statistics to establish appropriate thresholds
Table-top or simulate prevention
Don’t try to boil the ocean (IPS, DLP, WAF, EMET, etc.)
Present a well-thought out plan comparing current, near-term, and future
controls analysis
Demonstrate success
Repeat
Build credibility
79
82. Fallacy – Best Practices
Best Practice [adjective] ˈbest [noun] ˈprak-təs: Something that is done
regularly by so many people it acquires this designation, regardless of
effectiveness
82
84. Fallacy – It’s Our Job To Say It’s Secure
Security is a spectrum
And depends on risk appetite
Besides, remember what you said about…
• Full Disk Encryption?
• Salted MD5 passwords?
• SSL?
• TLS?
• 2-factor authentication?
• TrueCrypt?
84
86. Fallacy – Users are not Idiots and Fixing Stupid
If users are idiots we are idiots too
We often don’t eat our own dog food
There are plenty of things we do that appear to be poor risk decisions to
subject matter experts from other fields
Not everyone’s behavior can be changed, but we can do a lot better job of
influencing it
86
87. Big Takeaways
Question “best practices” and challenge the status quo
Beware of unintended consequences
Bust broken paradigms
Think and act different
87
88. Rules
88
Make it difficult and they will find a workaround!
A vulnerability without an impact is not a risk!
A vulnerability without a threat is not a risk!
Start simple and enhance later!
People don’t care about your data and systems! Make it personal!
Your employees’ personal lives are not out of scope to your adversaries!
Do not say “You can’t” until you’ve asked “How might we?”!
Never say “It’s secure.” Say “The risk is low” or “The risk is acceptable.”
Give people and processes appropriate attention.
Best practices are a unicorn! There’s only what works and what doesn’t.
89. Guiding Principles
89
Understand your environment
Implement practical, palatable solutions
Align with business needs
Communicate current state, future state, and gaps
Maximize utilization of available resources
Build relationships and establish credibility
Measure what matters
Challenge the status quo
Look outside of the echo chamber
Take advantage of opportunities
[PLACEHOLDER]